Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 429486 - tor can't create pid file on SELinux due to /run migration
Summary: tor can't create pid file on SELinux due to /run migration
Status: VERIFIED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: SELinux (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Sven Vermeulen (RETIRED)
URL:
Whiteboard: sec-policy r4
Keywords:
Depends on:
Blocks: 424173
  Show dependency tree
 
Reported: 2012-08-02 12:50 UTC by Amadeusz Sławiński
Modified: 2012-10-04 18:34 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Amadeusz Sławiński 2012-08-02 12:50:09 UTC
tor can't create pid file on SELinux due to /run migration
It causes failures when trying to stop service

# /etc/init.d/tor stop
Authenticating root.
Password: 
 * Stopping Tor ...
 * start-stop-daemon: fopen `/var/run/tor/tor.pid': No such file or directory    

enforcing start:
Aug  2 14:44:44 lain kernel: [ 7004.997802] type=1400 audit(1343911484.980:303): avc:  denied  { search } for  pid=3306 comm="tor" name="tor" dev="tmpfs" ino=909943 scontext=system_u:system_r:tor_t tcontext=system_u:object_r:initrc_var_run_t tclass=dir

permissive start:
Aug  2 14:47:16 lain kernel: [ 7156.282203] type=1400 audit(1343911636.564:310): avc:  denied  { read } for  pid=3376 comm="tor" name="cpu" dev="sysfs" ino=32 scontext=system_u:system_r:tor_t tcontext=system_u:object_r:sysfs_t tclass=dir
Aug  2 14:47:16 lain kernel: [ 7156.283846] type=1400 audit(1343911636.568:311): avc:  denied  { search } for  pid=3376 comm="tor" name="tor" dev="tmpfs" ino=911933 scontext=system_u:system_r:tor_t tcontext=system_u:object_r:initrc_var_run_t tclass=dir
Aug  2 14:47:16 lain kernel: [ 7156.283862] type=1400 audit(1343911636.568:312): avc:  denied  { write } for  pid=3376 comm="tor" name="tor" dev="tmpfs" ino=911933 scontext=system_u:system_r:tor_t tcontext=system_u:object_r:initrc_var_run_t tclass=dir
Aug  2 14:47:16 lain kernel: [ 7156.283873] type=1400 audit(1343911636.568:313): avc:  denied  { add_name } for  pid=3376 comm="tor" name="tor.pid" scontext=system_u:system_r:tor_t tcontext=system_u:object_r:initrc_var_run_t tclass=dir
Aug  2 14:47:16 lain kernel: [ 7156.283902] type=1400 audit(1343911636.568:314): avc:  denied  { create } for  pid=3376 comm="tor" name="tor.pid" scontext=system_u:system_r:tor_t tcontext=system_u:object_r:initrc_var_run_t tclass=file
Aug  2 14:47:16 lain kernel: [ 7156.283944] type=1400 audit(1343911636.568:315): avc:  denied  { write open } for  pid=3376 comm="tor" name="tor.pid" dev="tmpfs" ino=911076 scontext=system_u:system_r:tor_t tcontext=system_u:object_r:initrc_var_run_t tclass=file
Aug  2 14:47:16 lain kernel: [ 7156.283964] type=1400 audit(1343911636.568:316): avc:  denied  { getattr } for  pid=3376 comm="tor" path="/run/tor/tor.pid" dev="tmpfs" ino=911076 scontext=system_u:system_r:tor_t tcontext=system_u:object_r:initrc_var_run_t tclass=file


# ls -lZ /run | grep tor
drwxr-xr-x.  2 tor  tor  system_u:object_r:initrc_var_run_t         60 Aug  2 14:47 tor
# ls -lZ /run/tor       
total 4
-rw-r--r--. 1 tor tor system_u:object_r:initrc_var_run_t 5 Aug  2 14:47 tor.pid


They should probably be:
/var/run/tor(/.*)?                                 all files          system_u:object_r:tor_var_run_t 


Reproducible: Always
Comment 1 Sven Vermeulen (RETIRED) gentoo-dev 2012-08-14 16:40:50 UTC
Will be part of rev2
Comment 2 Sven Vermeulen (RETIRED) gentoo-dev 2012-08-14 18:56:29 UTC
r2 is now in hardened-dev overlay
Comment 3 Amadeusz Sławiński 2012-08-16 11:40:03 UTC
Enforcing:

# /etc/init.d/tor start
Authenticating root.
Password: 
 * Tor configuration (/etc/tor/torrc) is valid.
 * /var/run/tor: creating directory
 * checkpath: chown: Permission denied
 * Starting Tor ...                                                       [ ok ]

Aug 16 13:29:12 lain kernel: [ 3667.198112] type=1400 audit(1345116552.287:2891): avc:  denied  { setattr } for  pid=3485 comm="rc" name="tor" dev="tmpfs" ino=263650 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:tor_var_run_t tclass=dir

# /etc/init.d/tor stop 
Authenticating root.
Password: 
 * Stopping Tor ...
 * start-stop-daemon: fopen `/var/run/tor/tor.pid': No such file or direc [ ok ]

From /etc/init.d/tor
start() {
        checkconfig || return 1
        checkpath -d -m 0755 -o tor:tor /var/run/tor
        ebegin "Starting Tor"
        HOME=/var/lib/tor


Permissive:

# /etc/init.d/tor start
Authenticating root.
Password: 
 * Tor configuration (/etc/tor/torrc) is valid.
 * /var/run/tor: creating directory
 * Starting Tor ...                                                       [ ok ]

Aug 16 13:30:32 lain kernel: [ 3747.552036] type=1400 audit(1345116632.803:2896): avc:  denied  { setattr } for  pid=3536 comm="rc" name="tor" dev="tmpfs" ino=263650 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:tor_var_run_t tclass=dir
Aug 16 13:30:32 lain kernel: [ 3747.572707] type=1400 audit(1345116632.823:2897): avc:  denied  { read } for  pid=3542 comm="tor" name="cpu" dev="sysfs" ino=32 scontext=system_u:system_r:tor_t tcontext=system_u:object_r:sysfs_t tclass=dir

# /etc/init.d/tor stop 
Authenticating root.
Password: 
 * Stopping Tor ...                                                       [ ok ]



Allowing

Aug 16 13:29:12 lain kernel: [ 3667.198112] type=1400 audit(1345116552.287:2891): avc:  denied  { setattr } for  pid=3485 comm="rc" name="tor" dev="tmpfs" ino=263650 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:tor_var_run_t tclass=dir

makes it work properly
Comment 4 Sven Vermeulen (RETIRED) gentoo-dev 2012-08-17 12:56:52 UTC
setattr on the dirs' will be supported from rev4 onwards (also needed for postfix, so i'll grant that globally to initrc_t whenever initrc_t is allowed to create the run directory too).

I also noticed that tor (tor_t) wants to create a directory in /var/lib/tor, but for some reason labelling that directory fails during the installation (it does work if I relabel manually later through "rlpkg tor" or "restorecon -Rv /var/lib").
Comment 5 Sven Vermeulen (RETIRED) gentoo-dev 2012-08-24 17:36:18 UTC
rev4 is in hardened-dev overlay
Comment 6 Sven Vermeulen (RETIRED) gentoo-dev 2012-09-22 11:30:50 UTC
In main tree, ~arch'ed (rev 5)
Comment 7 Sven Vermeulen (RETIRED) gentoo-dev 2012-10-04 18:34:23 UTC
stabilized