Bug 453836 - selinux prevents tor from binding to a port to listen incoming connections
Summary: selinux prevents tor from binding to a port to listen incoming connections
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 9
Hardware: i686
OS: Linux
low
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-07-02 20:26 UTC by pobbz
Modified: 2008-07-03 15:40 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-07-02 21:58:14 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description pobbz 2008-07-02 20:26:44 UTC 
Summary:

SELinux is preventing the tor (tor_t) from binding to port 17748.

Detailed Description:

SELinux has denied the tor from binding to a network port 17748 which does not
have an SELinux type associated with it. If tor is supposed to be allowed to
listen on this port, you can use the semanage command to add this port to a port
type that tor_t can bind to. semanage port -l will list all port types. Please
file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against
the selinux-policy package. If tor is not supposed to bind to this port, this
could signal a intrusion attempt. If this system is running as an NIS Client,
turning on the allow_ypbind boolean, may fix the problem. setsebool -P
allow_ypbind=1.

Allowing Access:

If you want to allow tor to bind to this port semanage port -a -t PORT_TYPE -p
PROTOCOL 17748 Where PORT_TYPE is a type that tor_t can bind and PROTOCOL is udp
or tcp.

Additional Information:

Source Context                unconfined_u:system_r:tor_t:s0
Target Context                system_u:object_r:port_t:s0
Target Objects                None [ tcp_socket ]
Source                        tor
Source Path                   /usr/bin/tor
Port                          17748
Host                          athlonxp.ring-0
Source RPM Packages           tor-core-0.1.2.19-1.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-72.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   bind_ports
Host Name                     athlonxp.ring-0
Platform                      Linux athlonxp.ring-0 2.6.25.9-76.fc9.i686 #1 SMP
                              Fri Jun 27 16:14:35 EDT 2008 i686 athlon
Alert Count                   2
First Seen                    Wed 02 Jul 2008 11:15:26 PM EEST
Last Seen                     Wed 02 Jul 2008 11:16:15 PM EEST
Local ID                      9f071148-d2bc-438d-8aec-9f6aae2969ec
Line Numbers                  

Raw Audit Messages            

host=athlonxp.ring-0 type=AVC msg=audit(1215029775.797:115): avc:  denied  {
name_bind } for  pid=28423 comm="tor" src=17748
scontext=unconfined_u:system_r:tor_t:s0 tcontext=system_u:object_r:port_t:s0
tclass=tcp_socket

host=athlonxp.ring-0 type=SYSCALL msg=audit(1215029775.797:115): arch=40000003
syscall=102 success=no exit=-13 a0=2 a1=bff6be80 a2=7 a3=8e462e0 items=0
ppid=28422 pid=28423 auid=500 uid=494 gid=490 euid=494 suid=494 fsuid=494
egid=490 sgid=490 fsgid=490 tty=(none) ses=2 comm="tor" exe="/usr/bin/tor"
subj=unconfined_u:system_r:tor_t:s0 key=(null)
Comment 1 pobbz 2008-07-02 21:58:14 UTC 
Sorry. The default tor ports (9001, 9030, 9050) seem to have the SElinux port
type of "tor_port_t" and binding to those work. As I was trying to bind to a
non-standard tor port (17748), this behaviour can be expected. I'm marking this
 NOTABUG.
Comment 2 Daniel Walsh 2008-07-03 15:40:26 UTC 
If you want to use the non standard port you can,

semanage port -a -t tor_port_t -P tcp 17748
Note You need to log in before you can comment on or make changes to this bug.