Hi, Could you reproduce it in permissive mode? (I need all your AVCs) Then I'll add this rules to tor policy in fedora and also RHEL.

On 04/10/2015 04:14 PM, Nusenu wrote:

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512

Hi,

if you make use of tor's ControlSocket feature, via config option ControlSocket /var/lib/tor/foo/controlsocket

tor will fail to start with the following AVCs:

avc: denied { dac_override } for pid=7224 comm="tor" capability=1 scontext=system_u:system_r:tor_t:s0 tcontext=system_u:system_r:tor_t:s0 tclass=capability avc: denied { dac_read_search } for pid=7224 comm="tor" capability=2 scontext=system_u:system_r:tor_t:s0 tcontext=system_u:system_r:tor_t:s0 tclass=capability

avc: denied { dac_override } for pid=7226 comm="tor" capability=1 scontext=system_u:system_r:tor_t:s0 tcontext=system_u:system_r:tor_t:s0 tclass=capability avc: denied { dac_read_search } for pid=7226 comm="tor" capability=2 scontext=system_u:system_r:tor_t:s0 tcontext=system_u:system_r:tor_t:s0 tclass=capability

If you do not use the ControlSocket feature by removing that option from the config file, tor starts up fine again.

Would be great if one could enable a boolean to allow that.

thanks!

Used policy: selinux-policy-3.13.1-23.el7 selinux-policy-targeted-3.13.1-23.el7

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJVJ9rAAAoJEFv7XvVCELh0/zYQAItBbT3uCuEclOz9kkPMxhR7 /R/yj08ynlB4L3Zs4xUmhQGAaS+E2As3ScfoViA3B2ywNcXF4A4l93GGV/fxe94H GQp6v/cq7WVmHhJE5BdeBJ7ThJRuWpGGNjW+Pko/F/CCnAskLq4TKTDTHpgtwid6 r5LsN5Le6ypOO8Cp6jMpDAPgnz3JnTF2Yo3cRhPe/+DvDl5HFPHnr/bWeunKrzT0 Unn2n45IUeSTn50wPznAmAIQj00hLoQJCtv1TeprVy3FsJjzRrUUwxkIYJsVr5Cf EF7ZFMZkpAqHKT5TQRdHYZ18CjOZS/waPY/XI8+RoL7cqXBU95/UcRt3gjcY3O3W mI42IsQqM9SzV3vr98qWTN7V3GfNUg1BlAYVqWGXG3jRBvyACoZVg2nI0nyUSXG2 k2U9YuOF4zbBvlAD//tHhzTmfisuSMNE6lVW9osIW09HPpiX3htF0yZ+8I1VfZle xM/NNwui6HRK28tTgqHXQpLlpBckO+db5S4mjojvbuHrv9H1tU5E1oK3YYwoEzUT U+yh9I34o5N5he8kEIFHFMufEMkfzBBNb4MhotATTKhvuPXeFWlqJ5F1kWYT6mL5 0abfKB2xsQq7jZKIQSmcatLat6c98S90ipLEPS6aBWNeDCObYgSwaQcOZEFGQ+62 mMkave25Hgsy/BJ7e6SV =eNqK

-----END PGP SIGNATURE-----

selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512

any update on this?

thanks!