[CentOS] tor and selinux

Sun Jan 29 19:59:20 UTC 2017
Mark <mark2015 at openmailbox.org>

I'm experimenting with tor hidden services and got it to work nicely on
my Centos7, with tor from epel. That is, until I booted the machine.
Then SELinux kicked in and in the logs there's 

[warn] Directory /var/lib/tor/hidden_service/ cannot be read:
Permission denied

The permissions are
drwx------.  2 toranon toranon    4096 Jan 28 23:39 hidden_service

And SELinux gives the following

SELinux is preventing /usr/bin/tor from using the dac_override

*****  Plugin dac_override (91.4 confidence)
suggests   **********************

If you want to help identify if domain needs this access or you have a
file with the wrong permissions on your system
Then turn on full auditing to get path information about the offending
file and generate the error again.

Turn on full auditing
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it,
otherwise report as a bugzilla.

*****  Plugin catchall (9.59 confidence)
suggests   **************************

If you believe that tor should have the dac_override capability by
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# ausearch -c 'tor' --raw | audit2allow -M my-tor
# semodule -i my-tor.pp

Additional Information:
Source Context                system_u:system_r:tor_t:s0
Target Context                system_u:system_r:tor_t:s0
Target Objects                Unknown [ capability ]
Source                        tor
Source Path                   /usr/bin/tor
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           tor-
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-102.el7_3.13.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     host
Platform                      Linux host 3.10.0-514.6.1.el7.x86_64
                              #1 SMP Wed Jan 18 13:06:36 UTC 2017
x86_64 x86_64
Alert Count                   5
First Seen                    2017-01-29 22:42:46 EST
Last Seen                     2017-01-29 22:42:51 EST
Local ID                      51ceb58e-19cf-4f8f-ab1e-fe48265aaf1d

Raw Audit Messages
type=AVC msg=audit(1485747771.709:106): avc:  denied  { dac_override }
for  pid=2253 comm="tor"
capability=1  scontext=system_u:system_r:tor_t:s0
tcontext=system_u:system_r:tor_t:s0 tclass=capability

type=AVC msg=audit(1485747771.709:106): avc:  denied  { dac_read_search
} for  pid=2253 comm="tor"
capability=2  scontext=system_u:system_r:tor_t:s0
tcontext=system_u:system_r:tor_t:s0 tclass=capability

type=SYSCALL msg=audit(1485747771.709:106): arch=x86_64 syscall=open
success=no exit=EACCES a0=7fcd2c12fe90 a1=20000 a2=0 a3=1 items=0
ppid=1 pid=2253 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=tor
exe=/usr/bin/tor subj=system_u:system_r:tor_t:s0 key=(null)

Hash: tor,tor_t,tor_t,capability,dac_override

As I don't know what dac_override is I don't know if it's a good idea
to give it to tor and the confidence seems quite low.