Description of problem: SElinux policy is preventing Tor service being started (default config). (Tor can be run as normal user) Version-Release number of selected component (if applicable): tor-core-0.1.2.19-1.fc9 selinux-policy-3.3.1-35.fc9 How reproducible: Always Steps to Reproduce: 1. As root: # service tor start Actual results: Starting /usr/bin/tor: Apr 18 08:45:38.419 [notice] Tor v0.1.2.19. This is experimental software. Do not rely on it for strong anonymity. Apr 18 08:45:38.486 [warn] Error setting groups: Operation not permitted Apr 18 08:45:38.492 [warn] Failed to parse/validate config: Problem with User or Group value. See logs for details. Apr 18 08:45:38.500 [err] Reading config failed--see warnings above. [FAILED] AVC denial: SELinux is preventing tor (tor_t) "setuid" to <Unknown> (tor_t) Expected results: Tor starts OK Additional info: From SELinux troubleshooter: Summary SELinux is preventing tor (tor_t) "setuid" to <Unknown> (tor_t). Detailed Description SELinux denied access requested by tor. It is not expected that this access is required by tor and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access You can generate a local policy module to allow this access - see FAQ Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report against this package. Additional Information Source Context: unconfined_u:system_r:tor_t:s0 Target Context: unconfined_u:system_r:tor_t:s0 Target Objects: None [ capability ]Source: tor Source Path: /usr/bin/torPort: <Unknown> Host: localhost.localdomain Source RPM Packages: tor-core-0.1.2.19-1.fc9 Target RPM Packages: Policy RPM: selinux-policy-3.3.1-35.fc9 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Enforcing Plugin Name: catchall Host Name: localhost.localdomain Platform: Linux localhost.localdomain 2.6.25-0.234.rc9.git1.fc9.i686 #1 SMP Tue Apr 15 18:37:15 EDT 2008 i686 athlon Alert Count: 1 First Seen: Wed 16 Apr 2008 11:56:02 BST Last Seen: Fri 18 Apr 2008 08:35:11 BST Local ID: 783e3e69-497f-479a-ad57-090c21704df0 Line Numbers: Raw Audit Messages : host=localhost.localdomain type=AVC msg=audit(1208504111.305:27): avc: denied { setuid } for pid=3074 comm="tor" capability=7 scontext=unconfined_u:system_r:tor_t:s0 tcontext=unconfined_u:system_r:tor_t:s0 tclass=capability host=localhost.localdomain type=SYSCALL msg=audit(1208504111.305:27): arch=40000003 syscall=213 success=no exit=-1 a0=1ee a1=681934 a2=95c50f0 a3=bfdade60 items=0 ppid=3073 pid=3074 auid=500 uid=0 gid=491 euid=0 suid=0 fsuid=0 egid=491 sgid=491 fsgid=491 tty=(none) ses=1 comm="tor" exe="/usr/bin/tor" subj=unconfined_u:system_r:tor_t:s0 key=(null) From torrc: (default config) Group toranon User toranon Group and user both exist.
reassigning from tor to selinux-policy...
Fixed in selinux-policy-3.3.1-37.fc9