This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 454142 - SELinux is preventing the tor (tor_t) from binding to port 9051.
SELinux is preventing the tor (tor_t) from binding to port 9051.
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
9
i686 Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-07-05 06:08 EDT by John Chivall
Modified: 2008-11-17 17:05 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-11-17 17:05:01 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description John Chivall 2008-07-05 06:08:21 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9) Gecko/2008061712 Fedora/3.0-1.fc9 Firefox/3.0

Description of problem:
From selinux troubleshooter:

SELinux has denied the tor from binding to a network port 9051 which does not have an SELinux type associated with it. If tor is supposed to be allowed to listen on this port, you can use the semanage command to add this port to a port type that tor_t can bind to. semanage port -l will list all port types. 
Please file a bug report against the selinux-policy package. If tor is not supposed to bind to this port, this could signal a intrusion attempt. If this system is running as an NIS Client, turning on the allow_ypbind boolean, may fix the problem. setsebool -P allow_ypbind=1. Allowing AccessIf you want to allow tor to bind to this port semanage port -a -t PORT_TYPE -p PROTOCOL 9051 Where PORT_TYPE is a type that tor_t can bind and PROTOCOL is udp or tcp. 
Additional Information
Source Context:  unconfined_u:system_r:tor_t:s0
Target Context:  system_u:object_r:port_t:s0
Target Objects:  None [ tcp_socket ]
Source:  tor
Source Path:  /usr/bin/tor
Port:  9051
Host:  localhost.localdomain
Source RPM Packages:  tor-core-0.1.2.19-1.fc9
Target RPM Packages:  
Policy RPM:  selinux-policy-3.3.1-74.fc9
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  bind_ports
Host Name:  localhost.localdomain
Platform:  Linux localhost.localdomain 2.6.25.9-76.fc9.i686 #1 SMP Fri Jun 27 16:14:35 EDT 2008 i686 i686
Alert Count:  2
First Seen:  Wed 02 Jul 2008 11:16:04 BST
Last Seen:  Sat 05 Jul 2008 10:32:59 BST
Local ID:  2e6109d9-09ac-4c35-a8bf-ac9a9bad565d
Line Numbers:  
Raw Audit Messages :host=localhost.localdomain type=AVC msg=audit(1215250379.734:25): avc: denied { name_bind } for pid=2729 comm="tor" src=9051 scontext=unconfined_u:system_r:tor_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket host=localhost.localdomain type=SYSCALL msg=audit(1215250379.734:25): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bf817180 a2=8 a3=9ed13b0 items=0 ppid=1 pid=2729 auid=500 uid=494 gid=489 euid=494 suid=494 fsuid=494 egid=489 sgid=489 fsgid=489 tty=(none) ses=1 comm="tor" exe="/usr/bin/tor" subj=unconfined_u:system_r:tor_t:s0 key=(null)

Version-Release number of selected component (if applicable):
selinux-policy-3.3.1-74.fc9

How reproducible:
Always


Steps to Reproduce:
1. Edit /etc/tor/torrc to uncomment the line:
ControlPort 9051

2. (as root) service tor start




Actual Results:
Tor fails to start - cannot bind to control port
SElinux denial.

Starting tor as normal user works fine.

Expected Results:
Tor should able to bind to TCP port 9051 to listen for control messages from a local control application like Vidalia or TorK

Additional info:
Fixed the problem by:
semanage port -a -t tor_port_t -p tcp 9051

But shouldn't this be in the default policy?
Comment 1 Daniel Walsh 2008-08-01 11:21:59 EDT
Fixed in selinux-policy-3.3.1-83.fc9.noarch
Comment 2 Daniel Walsh 2008-11-17 17:05:01 EST
Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.

Note You need to log in before you can comment on or make changes to this bug.