tor_t: SELinux prevents tor from starting when using ControlSocket feature
Lukas Vrabec
lvrabec at redhat.com
Thu Apr 16 21:37:35 UTC 2015
Hi,
Could you reproduce it in permissive mode? (I need all your AVCs)
Then I'll add this rules to tor policy in fedora and also RHEL.
On 04/10/2015 04:14 PM, Nusenu wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Hi,
>
> if you make use of tor's ControlSocket feature, via config option
> ControlSocket /var/lib/tor/foo/controlsocket
>
> tor will fail to start with the following AVCs:
>
>
> avc: denied { dac_override } for pid=7224 comm="tor" capability=1
> scontext=system_u:system_r:tor_t:s0
> tcontext=system_u:system_r:tor_t:s0 tclass=capability
> avc: denied { dac_read_search } for pid=7224 comm="tor"
> capability=2 scontext=system_u:system_r:tor_t:s0
> tcontext=system_u:system_r:tor_t:s0 tclass=capability
>
> avc: denied { dac_override } for pid=7226 comm="tor" capability=1
> scontext=system_u:system_r:tor_t:s0
> tcontext=system_u:system_r:tor_t:s0 tclass=capability
> avc: denied { dac_read_search } for pid=7226 comm="tor"
> capability=2 scontext=system_u:system_r:tor_t:s0
> tcontext=system_u:system_r:tor_t:s0 tclass=capability
>
> If you do not use the ControlSocket feature by removing that option
> from the config file, tor starts up fine again.
>
> Would be great if one could enable a boolean to allow that.
>
> thanks!
>
> Used policy:
> selinux-policy-3.13.1-23.el7
> selinux-policy-targeted-3.13.1-23.el7
>
>
> -----BEGIN PGP SIGNATURE-----
>
> iQIcBAEBCgAGBQJVJ9rAAAoJEFv7XvVCELh0/zYQAItBbT3uCuEclOz9kkPMxhR7
> /R/yj08ynlB4L3Zs4xUmhQGAaS+E2As3ScfoViA3B2ywNcXF4A4l93GGV/fxe94H
> GQp6v/cq7WVmHhJE5BdeBJ7ThJRuWpGGNjW+Pko/F/CCnAskLq4TKTDTHpgtwid6
> r5LsN5Le6ypOO8Cp6jMpDAPgnz3JnTF2Yo3cRhPe/+DvDl5HFPHnr/bWeunKrzT0
> Unn2n45IUeSTn50wPznAmAIQj00hLoQJCtv1TeprVy3FsJjzRrUUwxkIYJsVr5Cf
> EF7ZFMZkpAqHKT5TQRdHYZ18CjOZS/waPY/XI8+RoL7cqXBU95/UcRt3gjcY3O3W
> mI42IsQqM9SzV3vr98qWTN7V3GfNUg1BlAYVqWGXG3jRBvyACoZVg2nI0nyUSXG2
> k2U9YuOF4zbBvlAD//tHhzTmfisuSMNE6lVW9osIW09HPpiX3htF0yZ+8I1VfZle
> xM/NNwui6HRK28tTgqHXQpLlpBckO+db5S4mjojvbuHrv9H1tU5E1oK3YYwoEzUT
> U+yh9I34o5N5he8kEIFHFMufEMkfzBBNb4MhotATTKhvuPXeFWlqJ5F1kWYT6mL5
> 0abfKB2xsQq7jZKIQSmcatLat6c98S90ipLEPS6aBWNeDCObYgSwaQcOZEFGQ+62
> mMkave25Hgsy/BJ7e6SV
> =eNqK
> -----END PGP SIGNATURE-----
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
--
Lukas Vrabec
SELinux Solutions
Red Hat, Inc.
More information about the selinux
mailing list