Bug#903654: tor: Tor doesn't start because of AppArmor

[intrigeri]

Control: tag -1 + moreinfo

Hi Stefan,

Stefan Monnier:
> Jul 12 11:03:05 faina audit[6873]: AVC apparmor="DENIED" 
> operation="change_onexec" info="label not found" error=-2 
> profile="unconfined" name="system_tor" pid=6873 comm="(tor)"
> Jul 12 11:03:05 faina kernel: audit: type=1400 audit(1531407785.239:26): 
> apparmor="DENIED" operation="change_onexec" info="label not found" error=-2 
> profile="unconfined" name="system_tor" pid=6873 comm="(tor)"
> Jul 12 11:03:05 faina systemd[6873]: tor@default.service: Failed at step 
> APPARMOR spawning /usr/bin/tor: No such file or directory

I think this happens if the system_tor AppArmor profile is not loaded.

I see you're running a kernel (newer than the one from Stretch) that
probably has AppArmor enabled. But perhaps you don't have the apparmor
package installed? If it's installed, please share the output of
"journalctl -B -u apparmor.service".

Cheers,
-- 
intrigeri

Bug#903654: tor: Tor doesn't start because of AppArmor

[Stefan Monnier]

Package: tor
Version: 0.2.9.15-1
Severity: normal

Dear Maintainer,

I installed Tor on my machine and haven't made any change to its config yet,
as far as I know.
But when I start it, AppArmor seems to stop it right at the start.
More specifically, I get:

# /etc/init.d/tor stop 
[ ok ] Stopping tor (via systemctl): tor.service.
# /etc/init.d/tor start
[ ok ] Starting tor (via systemctl): tor.service.
# /etc/init.d/tor status
 tor.service - Anonymizing overlay network for TCP (multi-instance-master)
   Loaded: loaded (/lib/systemd/system/tor.service; enabled; vendor preset: 
enabled)
   Active: active (exited) since Thu 2018-07-12 11:03:03 EDT; 2min 39s ago
  Process: 6842 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
 Main PID: 6842 (code=exited, status=0/SUCCESS)
Tasks: 0 (limit: 4915)
   Memory: 0B
  CPU: 0
   CGroup: /system.slice/tor.service

Jul 12 11:03:03 faina systemd[1]: Starting Anonymizing overlay network for 
TCP (multi-instance-master)...
Jul 12 11:03:03 faina systemd[1]: Started Anonymizing overlay network for 
TCP (multi-instance-master).
#

and `journalctl -f` on the "start" part gives me:

Jul 12 11:03:03 faina systemd[1]: Starting Anonymizing overlay network for 
TCP...
Jul 12 11:03:03 faina systemd[1]: Started Anonymizing overlay network for 
TCP (multi-instance-master).
Jul 12 11:03:04 faina tor[6862]: Jul 12 11:03:04.973 [notice] Tor 0.2.9.15 
(git-2dc1a1a2abab5403) running on Linux with Libevent 2.0.21-stable, OpenSSL 
1.1.0f and Zlib 1.2.8.
Jul 12 11:03:04 faina tor[6862]: Jul 12 11:03:04.974 [notice] Tor can't 
help you if you use it wrong! Learn how to be safe at 
https://www.torproject.org/download/download#warning
Jul 12 11:03:04 faina tor[6862]: Jul 12 11:03:04.974 [notice] Read 
configuration file "/usr/share/tor/tor-service-defaults-torrc".
Jul 12 11:03:04 faina tor[6862]: Jul 12 11:03:04.974 [notice] Read 
configuration file "/etc/tor/torrc".
Jul 12 11:03:05 faina tor[6862]: Configuration was valid
Jul 12 11:03:05 faina audit[6873]: AVC apparmor="DENIED" 
operation="change_onexec" info="label not found" error=-2 profile="unconfined" 
name="system_tor" pid=6873 comm="(tor)"
Jul 12 11:03:05 faina kernel: audit: type=1400 audit(1531407785.239:26): 
apparmor="DENIED" operation="change_onexec" info="label not found" error=-2 
profile="unconfined" name="system_tor" pid=6873 comm="(tor)"
Jul 12 11:03:05 faina systemd[6873]: tor@default.service: Failed at step 
APPARMOR spawning /usr/bin/tor: No such file or directory
Jul 12 11:03:05 faina systemd[1]: tor@default.service: Main process exited, 
code=exited, status=231/APPARMOR
Jul 12 11:03:05 faina systemd[1]: Failed to start Anonymizing overlay 
network for TCP.
Jul 12 11:03:05 faina systemd[1]: tor@default.service: Unit entered failed 
state.
Jul 12 11:03:05 faina systemd[1]: tor@default.service: Failed with result 
'exit-code'.
Jul 12 11:03:05 faina systemd[1]: tor@default.service: Service hold-off 
time over, scheduling restart.
Jul 12 11:03:05 faina systemd[1]: Stopped Anonymizing overlay network for 
TCP.

repeated 5 times.

I do see some tor-related file in /etc, tho:

# find /etc/apparmor* -name '*tor*'
/etc/apparmor.d/abstractions/tor
/etc/apparmor.d/local/system_tor
/etc/apparmor.d/system_tor
#

What am I doing wrong?


Stefan


-- System Information:
Debian Release: 9.4
  APT prefers stable
  APT policy: (990, 'stable'), (50, 'testing')
Architecture: armhf (armv7l)

Kernel: Linux 4.15.0-rc2+ (SMP w/2 CPU cores)
Locale: LANG=fr_CH.UTF-8, LC_CTYPE=fr_CH.UTF-8 (charmap=UTF-8), 
LANGUAGE=fr_CH.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages tor depends on:
ii  adduser  3.115
ii  init-system-helpers  1.48
ii  libc62.24-11+deb9u3
ii  libevent-2.0-5   2.0.21-stable-3
ii  libgcc1  1:6.3.0-18+deb9u1
ii  libssl1.11.1.0f-3+deb9u2
ii  libsystemd0  232-25+deb9u2
ii  lsb-base 9.20161125
ii  zlib1g   1:1.2.8.dfsg-5

Versions of packages tor recommends:
ii  logrotate3.11.0-0.1
pn  tor-geoipdb  
pn  torsocks 

Versions of packages tor suggests:
pn  apparmor-utils   
pn  mixmaster
pn  obfs4proxy   
pn  obfsproxy
ii  socat1.7.3.1-2+deb9u1
pn  tor-arm  
pn  torbrowser-launcher  

-- no debconf information