Description of problem: Tor supports 'pluggable transports', and a common method to use them is to configure tor to run the plugin which is a regular binary (e.g. obfs4proxy). However, the default SELinux policy doesn't allow tor to run any binaries, and I didn't find any suitable label to make it work. Using the audit2allow command, I created the following policy which enables tor to run any binaries: ---------------------------------------------- module my-tor 1.0; require { type tor_t; type bin_t; class file { execute execute_no_trans }; } #============= tor_t ============== allow tor_t bin_t:file { execute execute_no_trans }; ---------------------------------------------- Anyway, we need a way to let tor run its pluggable transports. Either the above policy should be added to selinux-policy-targeted or a new tor-selinux package, or we should be able to use a special SELinux label on the binaries which we want tor to be able to run.
I'm going to add obfs4 transport to Fedora. This bug should be fixed so that this package will function properly when SELinux is enabled.
The package is in its way to repositories. For now, I've created a COPR package with the above policy, but I hope it'll be properly fixed in Fedora soon.
Apparently, in Fedora 27 it needs also 'map' permission: SELinux is preventing obfs4proxy from 'map' accesses on the file /usr/bin/obfs4proxy. Additional Information: Source Context system_u:system_r:tor_t:s0 Target Context system_u:object_r:bin_t:s0 Target Objects /usr/bin/obfs4proxy [ file ] Source obfs4proxy Source Path obfs4proxy Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages obfs4-0.0.7-1.fc27.x86_64 Policy RPM selinux-policy-3.13.1-283.10.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.13.8-300.fc27.x86_64 #1 SMP Wed Oct 18 15:32:19 UTC 2017 x86_64 x86_64 Alert Count 1 First Seen 2017-10-22 01:34:42 +0330 Last Seen 2017-10-22 01:34:42 +0330 Local ID f3e71023-f57e-4485-a67d-68293fb0a9fb Raw Audit Messages type=AVC msg=audit(1508623482.392:509): avc: denied { map } for pid=9778 comm="obfs4proxy" path="/usr/bin/obfs4proxy" dev="sda9" ino=1744533 scontext=system_u:system_r:tor_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0 Hash: obfs4proxy,tor_t,bin_t,file,map
If there is anything missing from the report, please let me know.
This bug appears to have been reported against 'rawhide' during the Fedora 28 development cycle. Changing version to '28'.
This bug appears to have been reported against 'rawhide' during the Fedora 29 development cycle. Changing version to '29'.
selinux-policy-3.14.2-34.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-db240a1726
selinux-policy-3.14.2-34.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.