I've just encountered a problem starting tor. When I do 'systemctl start tor' it fails and I get selinux errors in the log. There was suggestion to do full auditing with 'auditctl -w /etc/shadow -p w'. Which I did and it gave the following
type=PROCTITLE msg=audit(1539540150.692:60570): proctitle=2F7573722F62696E2F746F72002D2D72756E61736461656D6F6E0030002D2 D64656661756C74732D746F727263002F7573722F73686172652F746F722F6465666175 6C74732D746F727263002D66002F6574632F746F722F746F727263002D2D76657269667 92D636F6E666967
type=PATH msg=audit(1539540150.692:60570): item=0 name="/var/lib/tor/hidden_service/" inode=201616393 dev=fd:02 mode=040700 ouid=494 ogid=490 rdev=00:00 obj=system_u:object_r:tor_var_lib_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1539540150.692:60570): cwd="/"
type=SYSCALL msg=audit(1539540150.692:60570): arch=c000003e syscall=2 success=no exit=-13 a0=562d3767da80 a1=20000 a2=0 a3=1 items=1 ppid=1 pid=18283 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tor" exe="/usr/bin/tor" subj=system_u:system_r:tor_t:s0 key=(null)
type=AVC msg=audit(1539540150.692:60570): avc: denied { dac_read_search } for pid=18283 comm="tor" capability=2 scontext=system_u:system_r:tor_t:s0 tcontext=system_u:system_r:tor_t:s0 tclass=capability
type=AVC msg=audit(1539540150.692:60570): avc: denied { dac_override } for pid=18283 comm="tor" capability=1 scontext=system_u:system_r:tor_t:s0 tcontext=system_u:system_r:tor_t:s0 tclass=capability
So I had a look at the permissions for /var/lib/tor/hidden_service/ and they were
drwx------. toranon toranon system_u:object_r:tor_var_lib_t:s0 hidden_service
Could somebody help me out here? I have no idea what to make of this. I know that tor was working for me at least a month ago. I got tor from this package: tor-0.2.9.16-1.el7.x86_64
Cheers Robin
On Sun, 2018-10-14 at 20:13 +0200, Robin Lee wrote:
I've just encountered a problem starting tor. When I do 'systemctl start tor' it fails and I get selinux errors in the log.
I explored this a bit further. I moved away the /var/lib/tor/hidden_service directory. Then I started tor and now it came up fine. It also recreated the /var/lib/tor/hidden_service directory as torrc hadn't changed. But then I tried to restart it. Now it failed, with the same selinux errors.
Seems definitely to be a bug of some sort. Not sure if it is with selinux or tor though. And I know it worked a while back.
Cheers Robin
On Sun, 2018-10-14 at 20:13 +0200, Robin Lee wrote:
I've just encountered a problem starting tor. When I do 'systemctl start tor' it fails and I get selinux errors in the log. There was suggestion to do full auditing with 'auditctl -w /etc/shadow -p w'. Which I did and it gave the following
type=PROCTITLE msg=audit(1539540150.692:60570): proctitle=2F7573722F62696E2F746F72002D2D72756E61736461656D6F6E0030002 D2 D64656661756C74732D746F727263002F7573722F73686172652F746F722F64656661 75 6C74732D746F727263002D66002F6574632F746F722F746F727263002D2D766572696 67 92D636F6E666967
type=PATH msg=audit(1539540150.692:60570): item=0 name="/var/lib/tor/hidden_service/" inode=201616393 dev=fd:02 mode=040700 ouid=494 ogid=490 rdev=00:00 obj=system_u:object_r:tor_var_lib_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1539540150.692:60570): cwd="/"
type=SYSCALL msg=audit(1539540150.692:60570): arch=c000003e syscall=2 success=no exit=-13 a0=562d3767da80 a1=20000 a2=0 a3=1 items=1 ppid=1 pid=18283 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tor" exe="/usr/bin/tor" subj=system_u:system_r:tor_t:s0 key=(null)
type=AVC msg=audit(1539540150.692:60570): avc: denied { dac_read_search } for pid=18283 comm="tor" capability=2 scontext=system_u:system_r:tor_t:s0 tcontext=system_u:system_r:tor_t:s0 tclass=capability
type=AVC msg=audit(1539540150.692:60570): avc: denied { dac_override } for pid=18283 comm="tor" capability=1 scontext=system_u:system_r:tor_t:s0 tcontext=system_u:system_r:tor_t:s0 tclass=capability
So I had a look at the permissions for /var/lib/tor/hidden_service/ and they were
drwx------. toranon toranon system_u:object_r:tor_var_lib_t:s0 hidden_service
Still trying to figure out this selinux issue :(
Perhaps somebody could point me to the best mailing list/forum/tracker for this kind of issue?
Cheers Robin
On 10/23/18 2:49 PM, Robin Lee wrote:
On Sun, 2018-10-14 at 20:13 +0200, Robin Lee wrote:
I've just encountered a problem starting tor. When I do 'systemctl start tor' it fails and I get selinux errors in the log. There was suggestion to do full auditing with 'auditctl -w /etc/shadow -p w'. Which I did and it gave the following
type=PROCTITLE msg=audit(1539540150.692:60570): proctitle=2F7573722F62696E2F746F72002D2D72756E61736461656D6F6E0030002 D2 D64656661756C74732D746F727263002F7573722F73686172652F746F722F64656661 75 6C74732D746F727263002D66002F6574632F746F722F746F727263002D2D766572696 67 92D636F6E666967
type=PATH msg=audit(1539540150.692:60570): item=0 name="/var/lib/tor/hidden_service/" inode=201616393 dev=fd:02 mode=040700 ouid=494 ogid=490 rdev=00:00 obj=system_u:object_r:tor_var_lib_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1539540150.692:60570): cwd="/"
type=SYSCALL msg=audit(1539540150.692:60570): arch=c000003e syscall=2 success=no exit=-13 a0=562d3767da80 a1=20000 a2=0 a3=1 items=1 ppid=1 pid=18283 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tor" exe="/usr/bin/tor" subj=system_u:system_r:tor_t:s0 key=(null)
type=AVC msg=audit(1539540150.692:60570): avc: denied { dac_read_search } for pid=18283 comm="tor" capability=2 scontext=system_u:system_r:tor_t:s0 tcontext=system_u:system_r:tor_t:s0 tclass=capability
type=AVC msg=audit(1539540150.692:60570): avc: denied { dac_override } for pid=18283 comm="tor" capability=1 scontext=system_u:system_r:tor_t:s0 tcontext=system_u:system_r:tor_t:s0 tclass=capability
So I had a look at the permissions for /var/lib/tor/hidden_service/ and they were
drwx------. toranon toranon system_u:object_r:tor_var_lib_t:s0 hidden_service
Still trying to figure out this selinux issue :(
Perhaps somebody could point me to the best mailing list/forum/tracker for this kind of issue?
Most likely this is tor running as root and trying to access this file.
Cheers Robin
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
On Tue, 2018-10-23 at 14:54 -0400, Daniel Walsh wrote:
Most likely this is tor running as root and trying to access this file.
I'm trying to start tor using 'systemctl start tor' and I haven't touched any systemd file.
What I get in the logs when I try to start is
polkitd[1097]: Registered Authentication Agent for unix- process:18981:211495106 (system bus name :1.27348 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_GB.UTF-8) systemd[1]: Starting Anonymizing overlay network for TCP... tor[18988]: Oct 23 20:26:10.746 [notice] Tor 0.2.9.16 (git- 645ef2e2854b2225) running on Linux with Libevent 2.0.21-stable, OpenSSL 1.0.2k-fips and Zlib 1.2.7. tor[18988]: Oct 23 20:26:10.746 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning tor[18988]: Oct 23 20:26:10.746 [notice] Read configuration file "/usr/share/tor/defaults-torrc". tor[18988]: Oct 23 20:26:10.746 [notice] Read configuration file "/etc/tor/torrc". tor[18988]: Oct 23 20:26:10.752 [warn] Directory /var/lib/tor/hidden_service/ cannot be read: Permission denied tor[18988]: Oct 23 20:26:10.752 [warn] Checking service directory /var/lib/tor/hidden_service/ failed. tor[18988]: Oct 23 20:26:10.752 [warn] Failed to parse/validate config: Failed to configure rendezvous options. See logs for details. tor[18988]: Oct 23 20:26:10.752 [err] Reading config failed--see warnings above. systemd[1]: tor.service: control process exited, code=exited status=1 systemd[1]: Failed to start Anonymizing overlay network for TCP.
How can I check which user it is trying to start as?
Cheers Robin
-
Daniel Walsh -
Robin Lee