tor: dac_override, dac_read_search, name_bind and net_bind_service

David P. Quigley dpquigl at tycho.nsa.gov
Mon Jul 19 22:07:11 UTC 2010 

On Mon, 2010-07-19 at 20:29 +0100, Mr Dash Four wrote:
> Some progress made:
> 
> dac_override and dac_read_search AVCs:
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> These were triggered by wrong file/directory permission settings (too 
> restrictive - 600/700 not allowing 'root' access to these as the uid/gid 
> were not 'root'). I have corrected these by changing the group ids to 
> include root (uid: root, gid: ___tor). When this was done the above 2 
> AVCs were gone - forever.
> In order to find out what was causing these I had to switch more 
> detailed auditd logging with "auditctl -a exit,always -F dir=/apps" and 
> "auditctl -a exit,always -F dir=/usr" to see what is happening - very 
> handy auditd feature and solved the above issues as it logged every 
> syscall made to the above 2 directories (recursively!) enabling me to 
> see what went wrong.
> 
> name_bind AVC:
> ~~~~~~~~~~~~
> I also know how to correct the name_bind AVC, though the issue I have is 
> that this should be a permanent setting in the targeted policy (tor.te) 
> as the new version of tor (2.x) has its own dns resolving capabilities 
> and needs access/binding to udp/53. The policy makers of the 'targeted' 
> policy should be made aware of this.
> 
> net_bind_service AVC:
> ~~~~~~~~~~~~~~~~
> Here is my last query: net_bind_service capability (allowing binding to 
> ports < 1024) is also needed by tor's dns resolution service, though I 
> need to know is there a way to specify only port 53 as that is what is 
> needed by tor (tor does NOT need to bind to any other privileged port(s) 
> other than udp/53)?

If you just want tor to bind to the dns port use these interfaces

corenet_tcp_bind_dns_port(tor_t)
corenet_udp_bind_dns_port(tor_t)

Considering these interfaces contain the net_bind_service cap it seems
like you will have to include it. However that isn't a concern since the
statement here only will allow tor to bind to ports labeled dns_port_t.
In this case tcp/udp 53. If you don't want tcp just include the second
of the two interfaces only.

> 
> I can get away without the above 2 AVCs provided I specify DNS 
> resolution to be done on unprivileged ports (say udp/5053 for example), 
> though don't know how is this going to be done in practice as I have no 
> idea how to force Linux in accepting its DNS resolution to look for 
> ports other than 53 (as far as I know 'resolv.conf' allows only hosts to 
> be specified, no ports - 53 is the assumed DNS resolution port adn that, 
> as far as I know, cannot be changed).
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

More information about the selinux mailing list