tor can't create pid file on SELinux due to /run migration It causes failures when trying to stop service # /etc/init.d/tor stop Authenticating root. Password: * Stopping Tor ... * start-stop-daemon: fopen `/var/run/tor/tor.pid': No such file or directory enforcing start: Aug 2 14:44:44 lain kernel: [ 7004.997802] type=1400 audit(1343911484.980:303): avc: denied { search } for pid=3306 comm="tor" name="tor" dev="tmpfs" ino=909943 scontext=system_u:system_r:tor_t tcontext=system_u:object_r:initrc_var_run_t tclass=dir permissive start: Aug 2 14:47:16 lain kernel: [ 7156.282203] type=1400 audit(1343911636.564:310): avc: denied { read } for pid=3376 comm="tor" name="cpu" dev="sysfs" ino=32 scontext=system_u:system_r:tor_t tcontext=system_u:object_r:sysfs_t tclass=dir Aug 2 14:47:16 lain kernel: [ 7156.283846] type=1400 audit(1343911636.568:311): avc: denied { search } for pid=3376 comm="tor" name="tor" dev="tmpfs" ino=911933 scontext=system_u:system_r:tor_t tcontext=system_u:object_r:initrc_var_run_t tclass=dir Aug 2 14:47:16 lain kernel: [ 7156.283862] type=1400 audit(1343911636.568:312): avc: denied { write } for pid=3376 comm="tor" name="tor" dev="tmpfs" ino=911933 scontext=system_u:system_r:tor_t tcontext=system_u:object_r:initrc_var_run_t tclass=dir Aug 2 14:47:16 lain kernel: [ 7156.283873] type=1400 audit(1343911636.568:313): avc: denied { add_name } for pid=3376 comm="tor" name="tor.pid" scontext=system_u:system_r:tor_t tcontext=system_u:object_r:initrc_var_run_t tclass=dir Aug 2 14:47:16 lain kernel: [ 7156.283902] type=1400 audit(1343911636.568:314): avc: denied { create } for pid=3376 comm="tor" name="tor.pid" scontext=system_u:system_r:tor_t tcontext=system_u:object_r:initrc_var_run_t tclass=file Aug 2 14:47:16 lain kernel: [ 7156.283944] type=1400 audit(1343911636.568:315): avc: denied { write open } for pid=3376 comm="tor" name="tor.pid" dev="tmpfs" ino=911076 scontext=system_u:system_r:tor_t tcontext=system_u:object_r:initrc_var_run_t tclass=file Aug 2 14:47:16 lain kernel: [ 7156.283964] type=1400 audit(1343911636.568:316): avc: denied { getattr } for pid=3376 comm="tor" path="/run/tor/tor.pid" dev="tmpfs" ino=911076 scontext=system_u:system_r:tor_t tcontext=system_u:object_r:initrc_var_run_t tclass=file # ls -lZ /run | grep tor drwxr-xr-x. 2 tor tor system_u:object_r:initrc_var_run_t 60 Aug 2 14:47 tor # ls -lZ /run/tor total 4 -rw-r--r--. 1 tor tor system_u:object_r:initrc_var_run_t 5 Aug 2 14:47 tor.pid They should probably be: /var/run/tor(/.*)? all files system_u:object_r:tor_var_run_t Reproducible: Always
Will be part of rev2
r2 is now in hardened-dev overlay
Enforcing: # /etc/init.d/tor start Authenticating root. Password: * Tor configuration (/etc/tor/torrc) is valid. * /var/run/tor: creating directory * checkpath: chown: Permission denied * Starting Tor ... [ ok ] Aug 16 13:29:12 lain kernel: [ 3667.198112] type=1400 audit(1345116552.287:2891): avc: denied { setattr } for pid=3485 comm="rc" name="tor" dev="tmpfs" ino=263650 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:tor_var_run_t tclass=dir # /etc/init.d/tor stop Authenticating root. Password: * Stopping Tor ... * start-stop-daemon: fopen `/var/run/tor/tor.pid': No such file or direc [ ok ] From /etc/init.d/tor start() { checkconfig || return 1 checkpath -d -m 0755 -o tor:tor /var/run/tor ebegin "Starting Tor" HOME=/var/lib/tor Permissive: # /etc/init.d/tor start Authenticating root. Password: * Tor configuration (/etc/tor/torrc) is valid. * /var/run/tor: creating directory * Starting Tor ... [ ok ] Aug 16 13:30:32 lain kernel: [ 3747.552036] type=1400 audit(1345116632.803:2896): avc: denied { setattr } for pid=3536 comm="rc" name="tor" dev="tmpfs" ino=263650 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:tor_var_run_t tclass=dir Aug 16 13:30:32 lain kernel: [ 3747.572707] type=1400 audit(1345116632.823:2897): avc: denied { read } for pid=3542 comm="tor" name="cpu" dev="sysfs" ino=32 scontext=system_u:system_r:tor_t tcontext=system_u:object_r:sysfs_t tclass=dir # /etc/init.d/tor stop Authenticating root. Password: * Stopping Tor ... [ ok ] Allowing Aug 16 13:29:12 lain kernel: [ 3667.198112] type=1400 audit(1345116552.287:2891): avc: denied { setattr } for pid=3485 comm="rc" name="tor" dev="tmpfs" ino=263650 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:tor_var_run_t tclass=dir makes it work properly
setattr on the dirs' will be supported from rev4 onwards (also needed for postfix, so i'll grant that globally to initrc_t whenever initrc_t is allowed to create the run directory too). I also noticed that tor (tor_t) wants to create a directory in /var/lib/tor, but for some reason labelling that directory fails during the installation (it does work if I relabel manually later through "rlpkg tor" or "restorecon -Rv /var/lib").
rev4 is in hardened-dev overlay
In main tree, ~arch'ed (rev 5)
stabilized