Bug 443018 - SELinux is preventing tor (tor_t) "setuid" to <Unknown> (tor_t)
SELinux is preventing tor (tor_t) "setuid" to <Unknown> (tor_t)
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
i686 Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks: F9Target
  Show dependency treegraph
 
Reported: 2008-04-18 03:58 EDT by John Chivall
Modified: 2008-04-20 07:28 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-04-20 07:28:43 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description John Chivall 2008-04-18 03:58:45 EDT
Description of problem:
SElinux policy is preventing Tor service being started (default config).

(Tor can be run as normal user)

Version-Release number of selected component (if applicable):
tor-core-0.1.2.19-1.fc9
selinux-policy-3.3.1-35.fc9

How reproducible:
Always

Steps to Reproduce:
1. As root:
   # service tor start
  
Actual results:

Starting /usr/bin/tor: Apr 18 08:45:38.419 [notice] Tor v0.1.2.19. This is
experimental software. Do not rely on it for strong anonymity.
Apr 18 08:45:38.486 [warn] Error setting groups: Operation not permitted
Apr 18 08:45:38.492 [warn] Failed to parse/validate config: Problem with User or
Group value. See logs for details.
Apr 18 08:45:38.500 [err] Reading config failed--see warnings above.
                                                           [FAILED]

AVC denial: SELinux is preventing tor (tor_t) "setuid" to <Unknown> (tor_t)

Expected results:
Tor starts OK

Additional info:

From SELinux troubleshooter:
Summary
SELinux is preventing tor (tor_t) "setuid" to <Unknown> (tor_t).
Detailed Description
SELinux denied access requested by tor. It is not expected that this access is
required by tor and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access. 
Allowing Access
You can generate a local policy module to allow this access - see FAQ Or you can
disable SELinux protection altogether. Disabling SELinux protection is not
recommended. Please file a bug report against this package. 
Additional Information
Source Context:  unconfined_u:system_r:tor_t:s0
Target Context:  unconfined_u:system_r:tor_t:s0
Target Objects:  None [ capability ]Source:  tor
Source Path:  /usr/bin/torPort:  <Unknown>
Host:  localhost.localdomain
Source RPM Packages:  tor-core-0.1.2.19-1.fc9
Target RPM Packages:  
Policy RPM:  selinux-policy-3.3.1-35.fc9
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  catchall
Host Name:  localhost.localdomain
Platform:  Linux localhost.localdomain 2.6.25-0.234.rc9.git1.fc9.i686 #1 SMP Tue
Apr 15 18:37:15 EDT 2008 i686 athlon
Alert Count:  1
First Seen:  Wed 16 Apr 2008 11:56:02 BST
Last Seen:  Fri 18 Apr 2008 08:35:11 BST
Local ID:  783e3e69-497f-479a-ad57-090c21704df0
Line Numbers:  
Raw Audit Messages :

host=localhost.localdomain type=AVC msg=audit(1208504111.305:27): avc: denied {
setuid } for pid=3074 comm="tor" capability=7
scontext=unconfined_u:system_r:tor_t:s0 tcontext=unconfined_u:system_r:tor_t:s0
tclass=capability 

host=localhost.localdomain type=SYSCALL msg=audit(1208504111.305:27):
arch=40000003 syscall=213 success=no exit=-1 a0=1ee a1=681934 a2=95c50f0
a3=bfdade60 items=0 ppid=3073 pid=3074 auid=500 uid=0 gid=491 euid=0 suid=0
fsuid=0 egid=491 sgid=491 fsgid=491 tty=(none) ses=1 comm="tor"
exe="/usr/bin/tor" subj=unconfined_u:system_r:tor_t:s0 key=(null) 

From torrc: (default config)
Group toranon
User  toranon

Group and user both exist.
Comment 1 Enrico Scholz 2008-04-18 05:37:51 EDT
reassigning from tor to selinux-policy...
Comment 4 Daniel Walsh 2008-04-20 07:28:43 EDT
Fixed in selinux-policy-3.3.1-37.fc9



Note You need to log in before you can comment on or make changes to this bug.