tor: dac_override, dac_read_search, name_bind and net_bind_service

Fri Jul 2 20:45:15 UTC 2010

What is the purpose of dac_override and dac_read_search capabilities? 
 From what I can gather they allow unrestricted access to the file 
system (not sure how secure would that be?).

I am getting 2 avc's when trying to start tor (see logs below). SELinux 
is in enforced mode (switched it to permissive in order to get all the 
alerts listed below). I looked at the source policy 
(policy/modules/services/tor.te) and indeed these 2 capabilities are not 
there (only setgid, setuid and sys_tty_config are allowed from what I 
can see). How healthy would it be if I add these two capabilities to tor.te?

===========================
type=AVC msg=audit(1278095042.156:12): avc:  denied  { dac_override } 
for  pid=1620 comm="tor" capability=1  
scontext=unconfined_u:system_r:tor_t:s0 
tcontext=unconfined_u:system_r:tor_t:s0 tclass=capability
type=AVC msg=audit(1278095042.156:12): avc:  denied  { dac_read_search } 
for  pid=1620 comm="tor" capability=2  
scontext=unconfined_u:system_r:tor_t:s0 
tcontext=unconfined_u:system_r:tor_t:s0 tclass=capability
===========================

I am also getting two other avc's when tor is trying to bind to port 
udp/53 (dns_port_t) and tcp/53. I need this to use tor as my dns 
resolution service on the local machine tor is running. I can probably 
prevent the first avc with including "allow tor_t dns_port_t:tcp_socket 
name_bind;" in tor.te, but how do I prevent the second one?

===========================
type=AVC msg=audit(1278095145.861:14): avc:  denied  { dac_override } 
for  pid=1634 comm="tor" capability=1  
scontext=unconfined_u:system_r:tor_t:s0 
tcontext=unconfined_u:system_r:tor_t:s0 tclass=capability
type=SYSCALL msg=audit(1278095145.861:14): arch=40000003 syscall=195 
success=yes exit=0 a0=9e07088 a1=bfad5390 a2=55bff4 a3=0 items=0 
ppid=1633 pid=1634 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 
sgid=0 fsgid=0 tty=tty1 ses=1 comm="tor" exe="/usr/bin/tor" 
subj=unconfined_u:system_r:tor_t:s0 key=(null)
type=AVC msg=audit(1278095145.958:15): avc:  denied  { name_bind } for  
pid=1636 comm="tor" src=53 scontext=unconfined_u:system_r:tor_t:s0 
tcontext=system_u:object_r:dns_port_t:s0 tclass=udp_socket
type=AVC msg=audit(1278095145.958:15): avc:  denied  { net_bind_service 
} for  pid=1636 comm="tor" capability=10  
scontext=unconfined_u:system_r:tor_t:s0 
tcontext=unconfined_u:system_r:tor_t:s0 tclass=capability
type=SYSCALL msg=audit(1278095145.958:15): arch=40000003 syscall=102 
success=yes exit=0 a0=2 a1=bfad5260 a2=0 a3=9e1cba8 items=0 ppid=1 
pid=1636 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
tty=(none) ses=1 comm="tor" exe="/usr/bin/tor" 
subj=unconfined_u:system_r:tor_t:s0 key=(null)
===========================

I am getting the above set when I place SELinux in Permissive mode 
(setenforce 0). As it is clear from the above, I am NOT getting 
dac_read_search when SELinux is in Permissive mode. I am also not 
getting name_bind and net_bind_service avc when SELinux is in Enforced 
mode as obviously tor does not reach that far and terminates.

Help would be much appreciated!