[CentOS] tor and selinux

Sun Jan 29 23:53:48 UTC 2017
Gordon Messmer <gordon.messmer at gmail.com>

On 01/29/2017 11:59 AM, Mark wrote:
> As I don't know what dac_override is I don't know if it's a good idea
> to give it to tor and the confidence seems quite low.

dac_override indicates that you're running your process as root, and 
it's trying to do something on the filesystem which is not explicitly 
allowed by permissions.  DAC is the standard POSIX permission system, 
and the process is trying to override it.  DAC allows access to the 
toranon user and toranon group only, and the process is trying to 
override that access by way of root access.

I'd say that no, giving dac_override is not a good idea, but mostly 
because that implies that you'd continue running the process as root.  
You should be running the service as the "toranon" user instead, in 
which case it will not need dac_override.