I'm experimenting with tor hidden services and got it to work nicely on my Centos7, with tor from epel. That is, until I booted the machine. Then SELinux kicked in and in the logs there's
[warn] Directory /var/lib/tor/hidden_service/ cannot be read: Permission denied
The permissions are drwx------. 2 toranon toranon 4096 Jan 28 23:39 hidden_service
And SELinux gives the following
SELinux is preventing /usr/bin/tor from using the dac_override capability.
***** Plugin dac_override (91.4 confidence) suggests **********************
If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system Then turn on full auditing to get path information about the offending file and generate the error again. Do
Turn on full auditing # auditctl -w /etc/shadow -p w Try to recreate AVC. Then execute # ausearch -m avc -ts recent If you see PATH record check ownership/permissions on file, and fix it, otherwise report as a bugzilla.
***** Plugin catchall (9.59 confidence) suggests **************************
If you believe that tor should have the dac_override capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'tor' --raw | audit2allow -M my-tor # semodule -i my-tor.pp
Additional Information: Source Context system_u:system_r:tor_t:s0 Target Context system_u:system_r:tor_t:s0 Target Objects Unknown [ capability ] Source tor Source Path /usr/bin/tor Port <Unknown> Host <Unknown> Source RPM Packages tor-0.2.8.12-1.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-102.el7_3.13.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name host Platform Linux host 3.10.0-514.6.1.el7.x86_64 #1 SMP Wed Jan 18 13:06:36 UTC 2017 x86_64 x86_64 Alert Count 5 First Seen 2017-01-29 22:42:46 EST Last Seen 2017-01-29 22:42:51 EST Local ID 51ceb58e-19cf-4f8f-ab1e-fe48265aaf1d
Raw Audit Messages type=AVC msg=audit(1485747771.709:106): avc: denied { dac_override } for pid=2253 comm="tor" capability=1 scontext=system_u:system_r:tor_t:s0 tcontext=system_u:system_r:tor_t:s0 tclass=capability
type=AVC msg=audit(1485747771.709:106): avc: denied { dac_read_search } for pid=2253 comm="tor" capability=2 scontext=system_u:system_r:tor_t:s0 tcontext=system_u:system_r:tor_t:s0 tclass=capability
type=SYSCALL msg=audit(1485747771.709:106): arch=x86_64 syscall=open success=no exit=EACCES a0=7fcd2c12fe90 a1=20000 a2=0 a3=1 items=0 ppid=1 pid=2253 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=tor exe=/usr/bin/tor subj=system_u:system_r:tor_t:s0 key=(null)
Hash: tor,tor_t,tor_t,capability,dac_override
As I don't know what dac_override is I don't know if it's a good idea to give it to tor and the confidence seems quite low.
Cheers Mark