On Mon, 2010-07-19 at 20:29 +0100, Mr Dash Four wrote:
Some progress made:
dac_override and dac_read_search AVCs:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
These were triggered by wrong file/directory permission settings (too
restrictive - 600/700 not allowing 'root' access to these as the uid/gid
were not 'root'). I have corrected these by changing the group ids to
include root (uid: root, gid: ___tor). When this was done the above 2
AVCs were gone - forever.
In order to find out what was causing these I had to switch more
detailed auditd logging with "auditctl -a exit,always -F dir=/apps" and
"auditctl -a exit,always -F dir=/usr" to see what is happening - very
handy auditd feature and solved the above issues as it logged every
syscall made to the above 2 directories (recursively!) enabling me to
see what went wrong.
name_bind AVC:
~~~~~~~~~~~~
I also know how to correct the name_bind AVC, though the issue I have is
that this should be a permanent setting in the targeted policy (tor.te)
as the new version of tor (2.x) has its own dns resolving capabilities
and needs access/binding to udp/53. The policy makers of the 'targeted'
policy should be made aware of this.
net_bind_service AVC:
~~~~~~~~~~~~~~~~
Here is my last query: net_bind_service capability (allowing binding to
ports < 1024) is also needed by tor's dns resolution service, though I
need to know is there a way to specify only port 53 as that is what is
needed by tor (tor does NOT need to bind to any other privileged port(s)
other than udp/53)?
If you just want tor to bind to the dns port use these interfaces
corenet_tcp_bind_dns_port(tor_t)
corenet_udp_bind_dns_port(tor_t)
Considering these interfaces contain the net_bind_service cap it seems
like you will have to include it. However that isn't a concern since the
statement here only will allow tor to bind to ports labeled dns_port_t.
In this case tcp/udp 53. If you don't want tcp just include the second
of the two interfaces only.
I can get away without the above 2 AVCs provided I specify DNS
resolution to be done on unprivileged ports (say udp/5053 for example),
though don't know how is this going to be done in practice as I have no
idea how to force Linux in accepting its DNS resolution to look for
ports other than 53 (as far as I know 'resolv.conf' allows only hosts to
be specified, no ports - 53 is the assumed DNS resolution port adn that,
as far as I know, cannot be changed).
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux