Description of problem: Upgrade to F18 causes new issue with TOR service and Selinux default policies. SELinux is preventing /usr/bin/tor from 'name_bind' accesses on the tcp_socket . ***** Plugin catchall_boolean (89.3 confidence) suggests ******************* If you want to allow tor daemon to bind tcp sockets to all unreserved ports. Then you must tell SELinux about this by enabling the 'tor_bind_all_unreserved_ports' boolean. You can read 'hplip_selinux' man page for more details. Do setsebool -P tor_bind_all_unreserved_ports 1 ***** Plugin catchall (11.6 confidence) suggests *************************** If you believe that tor should be allowed name_bind access on the tcp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep tor /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:tor_t:s0 Target Context system_u:object_r:hplip_port_t:s0 Target Objects [ tcp_socket ] Source tor Source Path /usr/bin/tor Port 9100 Host (removed) Source RPM Packages tor-0.2.3.25-1802.fc18.x86_64 Target RPM Packages Policy RPM selinux-policy-3.11.1-98.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 3.10.4-100.fc18.x86_64 #1 SMP Thu Aug 1 21:13:27 UTC 2013 x86_64 x86_64 Alert Count 1 First Seen 2013-08-13 14:20:34 EDT Last Seen 2013-08-13 14:20:34 EDT Local ID ddc316d9-4960-468e-a0f5-5679b374b709 Raw Audit Messages type=AVC msg=audit(1376418034.879:1479): avc: denied { name_bind } for pid=830 comm="tor" src=9100 scontext=system_u:system_r:tor_t:s0 tcontext=system_u:object_r:hplip_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1376418034.879:1479): arch=x86_64 syscall=bind success=yes exit=0 a0=7 a1=7fcf84703580 a2=10 a3=7fff91882764 items=0 ppid=1 pid=830 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=tor exe=/usr/bin/tor subj=system_u:system_r:tor_t:s0 key=(null) Hash: tor,tor_t,hplip_port_t,tcp_socket,name_bind audit2allow #============= tor_t ============== #!!!! This avc can be allowed using the boolean 'tor_bind_all_unreserved_ports' allow tor_t hplip_port_t:tcp_socket name_bind; audit2allow -R require { type tor_t; } #============= tor_t ============== corenet_tcp_bind_hplip_port(tor_t) Additional info: reporter: libreport-2.1.5 hashmarkername: setroubleshoot kernel: 3.10.4-100.fc18.x86_64 type: libreport Potential duplicate: bug 916674
Looks like there is a boolean for this, listed in the alert. ***** Plugin catchall_boolean (89.3 confidence) suggests ******************* If you want to allow tor daemon to bind tcp sockets to all unreserved ports. Then you must tell SELinux about this by enabling the 'tor_bind_all_unreserved_ports' boolean. You can read 'hplip_selinux' man page for more details. Do setsebool -P tor_bind_all_unreserved_ports 1