A feature tor has is the ability to serve html out of its' directory port so folks who want to know what's going on with this spewy machine can see that it is an exit node. So, you'd add this to the tor config: DirPortFrontPage /var/www/tor_static Or something like that. One could make the argument that I could just shove it in /var/lib/tor and be done with it. But what if I want to serve the same notification on the default vhost on the machine? Rather than setup a complicated interface or do other silly games, the most reasonable solution I can imagine would be to simply make a boolean tunable that lets tor access httpd_sys_content_t if necessary. This tunable is off by default so that it does not impact the attack surface of a standard installation, but is there for folks who want to be able to do this.
Created attachment 389476 [details, diff] boolean patch This by the way is setup so that the boolean is an optional policy that won't be available unless the apache module is.
I am really unclear why it took this long for it to deny a httpd content directory search. One more necessary piece, apply after the first patch. diff --git a/policy/modules/contrib/tor.te b/policy/modules/contrib/tor.te index a9d4d6f..b028c16 100644 --- a/policy/modules/contrib/tor.te +++ b/policy/modules/contrib/tor.te @@ -125,6 +125,8 @@ tunable_policy(`tor_bind_all_unreserved_ports',` optional_policy(` tunable_policy(`tor_serve_http_content',` apache_read_sys_content(tor_t) + apache_search_sys_content(tor_t) + apache_list_sys_content(tor_t) ') ') Churns happily along in enforcing in 2.3 userspace. Additionally, I'll probably write up another bug report to tighten down the tor network macros as there's a fair bit of extras in there that should not be there. Eg, udp.
I see this as customization... the feedback I find on tor is that most users put the exit notice file in /etc/tor somewhere. I'd rather keep the policy as-is then.
