Re: [CentOS] tor and selinux

2017-01-30 Thread Gordon Messmer 

On 01/29/2017 10:32 PM, Mark wrote:

That's strange, because I started the tor process simply with
sudo systemctl start tor



Yes, it looks like that package runs the service as "root".  That 
doesn't seem like a good default, and it could be a packaging bug.  Try 
adding "User toranon" to the configuration file and see if things work.  
If so, file a bug so that the maintainer can change the default.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] tor and selinux

2017-01-29 Thread Mark 
On Sun, 2017-01-29 at 15:53 -0800, Gordon Messmer wrote:
> On 01/29/2017 11:59 AM, Mark wrote:
> > As I don't know what dac_override is I don't know if it's a good
> > idea
> > to give it to tor and the confidence seems quite low.
> 
> 
> dac_override indicates that you're running your process as root, and 
> it's trying to do something on the filesystem which is not
> explicitly 
> allowed by permissions.  DAC is the standard POSIX permission
> system, 
> and the process is trying to override it.  DAC allows access to the 
> toranon user and toranon group only, and the process is trying to 
> override that access by way of root access.

That's strange, because I started the tor process simply with
sudo systemctl start tor

The only changes I've really made was to add two lines of configuration
in torrc

Cheers
Mark
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] tor and selinux

2017-01-29 Thread Gordon Messmer 

On 01/29/2017 11:59 AM, Mark wrote:

As I don't know what dac_override is I don't know if it's a good idea
to give it to tor and the confidence seems quite low.



dac_override indicates that you're running your process as root, and 
it's trying to do something on the filesystem which is not explicitly 
allowed by permissions.  DAC is the standard POSIX permission system, 
and the process is trying to override it.  DAC allows access to the 
toranon user and toranon group only, and the process is trying to 
override that access by way of root access.


I'd say that no, giving dac_override is not a good idea, but mostly 
because that implies that you'd continue running the process as root.  
You should be running the service as the "toranon" user instead, in 
which case it will not need dac_override.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] tor and selinux

2017-01-29 Thread Mark 
I'm experimenting with tor hidden services and got it to work nicely on
my Centos7, with tor from epel. That is, until I booted the machine.
Then SELinux kicked in and in the logs there's 

[warn] Directory /var/lib/tor/hidden_service/ cannot be read:
Permission denied

The permissions are
drwx--.  2 toranon toranon4096 Jan 28 23:39 hidden_service

And SELinux gives the following

SELinux is preventing /usr/bin/tor from using the dac_override
capability.

*  Plugin dac_override (91.4 confidence)
suggests   **

If you want to help identify if domain needs this access or you have a
file with the wrong permissions on your system
Then turn on full auditing to get path information about the offending
file and generate the error again.
Do

Turn on full auditing
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it,
otherwise report as a bugzilla.

*  Plugin catchall (9.59 confidence)
suggests   **

If you believe that tor should have the dac_override capability by
default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'tor' --raw | audit2allow -M my-tor
# semodule -i my-tor.pp


Additional Information:
Source Contextsystem_u:system_r:tor_t:s0
Target Contextsystem_u:system_r:tor_t:s0
Target ObjectsUnknown [ capability ]
Sourcetor
Source Path   /usr/bin/tor
Port  
Host  
Source RPM Packages   tor-0.2.8.12-1.el7.x86_64
Target RPM Packages   
Policy RPMselinux-policy-3.13.1-102.el7_3.13.noarch
Selinux Enabled   True
Policy Type   targeted
Enforcing ModeEnforcing
Host Name host
Platform  Linux host 3.10.0-514.6.1.el7.x86_64
  #1 SMP Wed Jan 18 13:06:36 UTC 2017
x86_64 x86_64
Alert Count   5
First Seen2017-01-29 22:42:46 EST
Last Seen 2017-01-29 22:42:51 EST
Local ID  51ceb58e-19cf-4f8f-ab1e-fe48265aaf1d

Raw Audit Messages
type=AVC msg=audit(1485747771.709:106): avc:  denied  { dac_override }
for  pid=2253 comm="tor"
capability=1  scontext=system_u:system_r:tor_t:s0
tcontext=system_u:system_r:tor_t:s0 tclass=capability


type=AVC msg=audit(1485747771.709:106): avc:  denied  { dac_read_search
} for  pid=2253 comm="tor"
capability=2  scontext=system_u:system_r:tor_t:s0
tcontext=system_u:system_r:tor_t:s0 tclass=capability


type=SYSCALL msg=audit(1485747771.709:106): arch=x86_64 syscall=open
success=no exit=EACCES a0=7fcd2c12fe90 a1=2 a2=0 a3=1 items=0
ppid=1 pid=2253 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=tor
exe=/usr/bin/tor subj=system_u:system_r:tor_t:s0 key=(null)

Hash: tor,tor_t,tor_t,capability,dac_override


As I don't know what dac_override is I don't know if it's a good idea
to give it to tor and the confidence seems quite low. 

Cheers
Mark

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos