-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Hi,
if you make use of tor's ControlSocket feature, via config option ControlSocket /var/lib/tor/foo/controlsocket
tor will fail to start with the following AVCs:
avc: denied { dac_override } for pid=7224 comm="tor" capability=1 scontext=system_u:system_r:tor_t:s0 tcontext=system_u:system_r:tor_t:s0 tclass=capability avc: denied { dac_read_search } for pid=7224 comm="tor" capability=2 scontext=system_u:system_r:tor_t:s0 tcontext=system_u:system_r:tor_t:s0 tclass=capability
avc: denied { dac_override } for pid=7226 comm="tor" capability=1 scontext=system_u:system_r:tor_t:s0 tcontext=system_u:system_r:tor_t:s0 tclass=capability avc: denied { dac_read_search } for pid=7226 comm="tor" capability=2 scontext=system_u:system_r:tor_t:s0 tcontext=system_u:system_r:tor_t:s0 tclass=capability
If you do not use the ControlSocket feature by removing that option from the config file, tor starts up fine again.
Would be great if one could enable a boolean to allow that.
thanks!
Used policy: selinux-policy-3.13.1-23.el7 selinux-policy-targeted-3.13.1-23.el7
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
related on tor-dev: "Are DAC_OVERRIDE & CHOWN capabilities required for ControlSocket?" https://lists.torproject.org/pipermail/tor-dev/2015-April/008639.html
Hi, Could you reproduce it in permissive mode? (I need all your AVCs) Then I'll add this rules to tor policy in fedora and also RHEL.
On 04/10/2015 04:14 PM, Nusenu wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Hi,
if you make use of tor's ControlSocket feature, via config option ControlSocket /var/lib/tor/foo/controlsocket
tor will fail to start with the following AVCs:
avc: denied { dac_override } for pid=7224 comm="tor" capability=1 scontext=system_u:system_r:tor_t:s0 tcontext=system_u:system_r:tor_t:s0 tclass=capability avc: denied { dac_read_search } for pid=7224 comm="tor" capability=2 scontext=system_u:system_r:tor_t:s0 tcontext=system_u:system_r:tor_t:s0 tclass=capability
avc: denied { dac_override } for pid=7226 comm="tor" capability=1 scontext=system_u:system_r:tor_t:s0 tcontext=system_u:system_r:tor_t:s0 tclass=capability avc: denied { dac_read_search } for pid=7226 comm="tor" capability=2 scontext=system_u:system_r:tor_t:s0 tcontext=system_u:system_r:tor_t:s0 tclass=capability
If you do not use the ControlSocket feature by removing that option from the config file, tor starts up fine again.
Would be great if one could enable a boolean to allow that.
thanks!
Used policy: selinux-policy-3.13.1-23.el7 selinux-policy-targeted-3.13.1-23.el7
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJVJ9rAAAoJEFv7XvVCELh0/zYQAItBbT3uCuEclOz9kkPMxhR7 /R/yj08ynlB4L3Zs4xUmhQGAaS+E2As3ScfoViA3B2ywNcXF4A4l93GGV/fxe94H GQp6v/cq7WVmHhJE5BdeBJ7ThJRuWpGGNjW+Pko/F/CCnAskLq4TKTDTHpgtwid6 r5LsN5Le6ypOO8Cp6jMpDAPgnz3JnTF2Yo3cRhPe/+DvDl5HFPHnr/bWeunKrzT0 Unn2n45IUeSTn50wPznAmAIQj00hLoQJCtv1TeprVy3FsJjzRrUUwxkIYJsVr5Cf EF7ZFMZkpAqHKT5TQRdHYZ18CjOZS/waPY/XI8+RoL7cqXBU95/UcRt3gjcY3O3W mI42IsQqM9SzV3vr98qWTN7V3GfNUg1BlAYVqWGXG3jRBvyACoZVg2nI0nyUSXG2 k2U9YuOF4zbBvlAD//tHhzTmfisuSMNE6lVW9osIW09HPpiX3htF0yZ+8I1VfZle xM/NNwui6HRK28tTgqHXQpLlpBckO+db5S4mjojvbuHrv9H1tU5E1oK3YYwoEzUT U+yh9I34o5N5he8kEIFHFMufEMkfzBBNb4MhotATTKhvuPXeFWlqJ5F1kWYT6mL5 0abfKB2xsQq7jZKIQSmcatLat6c98S90ipLEPS6aBWNeDCObYgSwaQcOZEFGQ+62 mMkave25Hgsy/BJ7e6SV =eNqK
-----END PGP SIGNATURE-----
selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Lukas Vrabec:
Hi, Could you reproduce it in permissive mode? (I need all your AVCs) Then I'll add this rules to tor policy in fedora and also RHEL.
thanks for fixing this.
AVCs in permissive mode:
type=AVC avc: denied { dac_override } ... capability=1 scontext=system_u:system_r:tor_t:s0 tcontext=system_u:system_r:tor_t:s0 tclass=capability type=AVC avc: denied { chown } ... capability=0 scontext=system_u:system_r:tor_t:s0 tcontext=system_u:system_r:tor_t:s0 tclass=capability
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
any update on this?
thanks!
selinux@lists.fedoraproject.org