Created attachment 388300 [details, diff] Proposed fix for tmpfs permission issue. This avc entry likes to pop up when you start tor: Nov 1 18:31:03 testbed kernel: [188642.355305] audit: type=1400 audit(1414884663.569:47241): avc: denied { search } for pid=2978 comm="tor" name="/" dev="tmpfs" ino=4143 ipaddr=REDACTED scontext=system_u:system_r:tor_t tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=1 This permission is necessary because of the pid file in /run/tor. Though I am assuming I am understanding how the directory scan permissions are working out, as run is tmpfs. Fixing this is pretty easy. Patch for current reference policy is attached. Note: The git hosting of the gentoo selinux reference policy does not currently work. Can we please get it rehosted, thrown on github, or something?
/run shouldn't be tmpfs_t but var_run_t. Do you have the following in your /etc/fstab? tmpfs /run tmpfs auto,mode=0755,nosuid,nodev,rootcontext=system_u:object_r:var_run_t:s0 0 0 See also https://wiki.gentoo.org/wiki/SELinux/Installation#Setting_file_system_contexts
OK, user error on that one. I honestly didn't even think of mounting /run specifically due to how it is populated and managed by the init system. Somehow I breezed by that step. Not sure how I missed that, and doubly not sure how an otherwise fully-functioning system only triggered there and not on any other service. A oneoff I'll treat as a bug, but 50 instances of the same thing is user error :p Marking as RESOLVED :p
