Description of problem: SELinux is preventing /usr/bin/tor from 'name_bind' accesses on the tcp_socket . ***** Plugin catchall (100. confidence) suggests *************************** If you believe that tor should be allowed name_bind access on the tcp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep tor /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:tor_t:s0 Target Context system_u:object_r:hplip_port_t:s0 Target Objects [ tcp_socket ] Source tor Source Path /usr/bin/tor Port 9100 Host (removed) Source RPM Packages tor-core-0.2.2.39-1700.fc17.x86_64 Target RPM Packages Policy RPM selinux-policy-3.10.0-167.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.7.3-101.fc17.x86_64 #1 SMP Fri Jan 18 17:40:57 UTC 2013 x86_64 x86_64 Alert Count 6 First Seen 2013-02-28 11:09:25 EST Last Seen 2013-02-28 11:09:26 EST Local ID a9208326-4858-4522-ac3a-54459eec2e7b Raw Audit Messages type=AVC msg=audit(1362067766.400:2523): avc: denied { name_bind } for pid=22741 comm="tor" src=9100 scontext=system_u:system_r:tor_t:s0 tcontext=system_u:object_r:hplip_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1362067766.400:2523): arch=x86_64 syscall=bind success=no exit=EACCES a0=7 a1=1d1e520 a2=10 a3=7fff58a1b2ec items=0 ppid=1 pid=22741 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=tor exe=/usr/bin/tor subj=system_u:system_r:tor_t:s0 key=(null) Hash: tor,tor_t,hplip_port_t,tcp_socket,name_bind audit2allow #============= tor_t ============== #!!!! This avc can be allowed using the boolean 'tor_bind_all_unreserved_ports' allow tor_t hplip_port_t:tcp_socket name_bind; audit2allow -R #============= tor_t ============== #!!!! This avc can be allowed using the boolean 'tor_bind_all_unreserved_ports' allow tor_t hplip_port_t:tcp_socket name_bind; Additional info: hashmarkername: setroubleshoot kernel: 3.7.3-101.fc17.x86_64 type: libreport
You either need to run custom policy using audit2allow or turn on the boolean. SELinux is preventing /usr/bin/tor from name_bind access on the tcp_socket . ***** Plugin catchall_boolean (89.3 confidence) suggests ******************* If you want to determine whether tor can bind tcp sockets to all unreserved ports. Then you must tell SELinux about this by enabling the 'tor_bind_all_unreserved_ports' boolean. You can read 'tor_selinux' man page for more details. Do setsebool -P tor_bind_all_unreserved_ports 1 Not sure why your bug report did not tell you this.
Why is this NOTABUG? Got the same problem today and according to the message itself this should be reported as a bug. ~~~~~ SELinux is preventing /usr/bin/tor from name_bind access on the tcp_socket . ***** Plugin catchall_boolean (89.3 confidence) suggests ****************** If you want to determine whether tor can bind tcp sockets to all unreserved ports. Then you must tell SELinux about this by enabling the 'tor_bind_all_unreserved_ports' boolean. You can read 'tor_selinux' man page for more details. Do setsebool -P tor_bind_all_unreserved_ports 1 ***** Plugin catchall (11.6 confidence) suggests ************************** If you believe that tor should be allowed name_bind access on the tcp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep tor /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
You have a boolean to allow this, We do not want to allow it out of the box. setsebool -P tor_bind_all_unreserved_ports 1
If one installs (and runs) tor, this is needed to run tor. Why should we ship software that doesn't work out of the box because it is not correctly configured? Would it do any harm to something else if we changed that?
My understanding is that tor out of the box uses sepolicy network -t tor_port_t tor_port_t: tcp: 6969,9001,9030,9050,9051,9150 These ports. After googling around I found that tor does use port 9100 by default even though it is listed as hp printer port. grep 9100 /etc/services jetdirect 9100/tcp laserjet hplj hp-pdl-datastr pdl-datastream hp-pdl-datastr 9100/udp pdl-datastream # PDL Data Streaming Port I have added a rule to allow tor to use hplip_port_t ports. b2242ec9a849fa6b7f7172fd9a5d0d66fb22c4c3 in git.
Of course this bug report is on F17, which is no longer supported. Moving to F19
What tor uses (according to default Fedora config file, see https://gitweb.torproject.org/tor.git/blob/HEAD:/src/config/torrc.sample.in for source) by default (LISTEN) 9050 and/or 9100 as SocksPort (optional) 9051 as ControlPort (optional) 80, 443, 22 as Hidden service (optional) 9001, 9090 as ORPort (one of them is required) 80, 9030, 9091 as DirPort (optional) plus some more ports beyond 30k (?) for incoming connections (not LISTENing). I think tor should by default be allowed to bind to all of those 9xyz ports given in default config file. I don't know whether tor should be allowed to bind to 80 (HTTP), 443 (HTTPS), 22 (SSH) by default.
back ported to F19.
selinux-policy-3.12.1-74.17.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.17.fc19
Package selinux-policy-3.12.1-74.17.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.17.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-0636/selinux-policy-3.12.1-74.17.fc19 then log in and leave karma (feedback).
selinux-policy-3.12.1-74.17.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.