Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 529442 - Let tor serve http content
Summary: Let tor serve http content
Status: RESOLVED WORKSFORME
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: SELinux (show other bugs)
Hardware: All Linux
: Normal enhancement
Assignee: SE Linux Bugs
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-11-16 10:02 UTC by Eric Gisse
Modified: 2015-01-03 12:15 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments
boolean patch (tor.patch,791 bytes, patch)
2014-11-16 10:03 UTC, Eric Gisse
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Eric Gisse 2014-11-16 10:02:12 UTC
A feature tor has is the ability to serve html out of its' directory port so folks who want to know what's going on with this spewy machine can see that it is an exit node.

So, you'd add this to the tor config:

DirPortFrontPage /var/www/tor_static

Or something like that.

One could make the argument that I could just shove it in /var/lib/tor and be done with it. But what if I want to serve the same notification on the default vhost on the machine? 

Rather than setup a complicated interface or do other silly games, the most reasonable solution I can imagine would be to simply make a boolean tunable that lets tor access httpd_sys_content_t if necessary. 

This tunable is off by default so that it does not impact the attack surface of a standard installation, but is there for folks who want to be able to do this.
Comment 1 Eric Gisse 2014-11-16 10:03:31 UTC
Created attachment 389476 [details, diff]
boolean patch

This by the way is setup so that the boolean is an optional policy that won't be available unless the apache module is.
Comment 2 Eric Gisse 2014-11-19 11:55:10 UTC
I am really unclear why it took this long for it to deny a httpd content directory search.

One more necessary piece, apply after the first patch.

diff --git a/policy/modules/contrib/tor.te b/policy/modules/contrib/tor.te
index a9d4d6f..b028c16 100644
--- a/policy/modules/contrib/tor.te
+++ b/policy/modules/contrib/tor.te
@@ -125,6 +125,8 @@ tunable_policy(`tor_bind_all_unreserved_ports',`
 optional_policy(`
        tunable_policy(`tor_serve_http_content',`
                apache_read_sys_content(tor_t)
+               apache_search_sys_content(tor_t)
+               apache_list_sys_content(tor_t)
        ')
 ')

Churns happily along in enforcing in 2.3 userspace.

Additionally, I'll probably write up another bug report to tighten down the tor network macros as there's a fair bit of extras in there that should not be there. Eg, udp.
Comment 3 Sven Vermeulen (RETIRED) gentoo-dev 2014-12-21 11:14:00 UTC
I see this as customization... the feedback I find on tor is that most users put the exit notice file in /etc/tor somewhere. I'd rather keep the policy as-is then.