What is the purpose of dac_override and dac_read_search capabilities?
From what I can gather they allow unrestricted access to the file
system (not sure how secure would that be?).
I am getting 2 avc's when trying to start tor (see logs below). SELinux
is in enforced mode (switched it to permissive in order to get all the
alerts listed below). I looked at the source policy
(policy/modules/services/tor.te) and indeed these 2 capabilities are not
there (only setgid, setuid and sys_tty_config are allowed from what I
can see). How healthy would it be if I add these two capabilities to tor.te?
===========================
type=AVC msg=audit(1278095042.156:12): avc: denied { dac_override }
for pid=1620 comm="tor" capability=1
scontext=unconfined_u:system_r:tor_t:s0
tcontext=unconfined_u:system_r:tor_t:s0 tclass=capability
type=AVC msg=audit(1278095042.156:12): avc: denied { dac_read_search }
for pid=1620 comm="tor" capability=2
scontext=unconfined_u:system_r:tor_t:s0
tcontext=unconfined_u:system_r:tor_t:s0 tclass=capability
===========================
I am also getting two other avc's when tor is trying to bind to port
udp/53 (dns_port_t) and tcp/53. I need this to use tor as my dns
resolution service on the local machine tor is running. I can probably
prevent the first avc with including "allow tor_t dns_port_t:tcp_socket
name_bind;" in tor.te, but how do I prevent the second one?
===========================
type=AVC msg=audit(1278095145.861:14): avc: denied { dac_override }
for pid=1634 comm="tor" capability=1
scontext=unconfined_u:system_r:tor_t:s0
tcontext=unconfined_u:system_r:tor_t:s0 tclass=capability
type=SYSCALL msg=audit(1278095145.861:14): arch=40000003 syscall=195
success=yes exit=0 a0=9e07088 a1=bfad5390 a2=55bff4 a3=0 items=0
ppid=1633 pid=1634 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=tty1 ses=1 comm="tor" exe="/usr/bin/tor"
subj=unconfined_u:system_r:tor_t:s0 key=(null)
type=AVC msg=audit(1278095145.958:15): avc: denied { name_bind } for
pid=1636 comm="tor" src=53 scontext=unconfined_u:system_r:tor_t:s0
tcontext=system_u:object_r:dns_port_t:s0 tclass=udp_socket
type=AVC msg=audit(1278095145.958:15): avc: denied { net_bind_service
} for pid=1636 comm="tor" capability=10
scontext=unconfined_u:system_r:tor_t:s0
tcontext=unconfined_u:system_r:tor_t:s0 tclass=capability
type=SYSCALL msg=audit(1278095145.958:15): arch=40000003 syscall=102
success=yes exit=0 a0=2 a1=bfad5260 a2=0 a3=9e1cba8 items=0 ppid=1
pid=1636 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=1 comm="tor" exe="/usr/bin/tor"
subj=unconfined_u:system_r:tor_t:s0 key=(null)
===========================
I am getting the above set when I place SELinux in Permissive mode
(setenforce 0). As it is clear from the above, I am NOT getting
dac_read_search when SELinux is in Permissive mode. I am also not
getting name_bind and net_bind_service avc when SELinux is in Enforced
mode as obviously tor does not reach that far and terminates.
Help would be much appreciated!