Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 454142 - SELinux is preventing the tor (tor_t) from binding to port 9051.
Summary: SELinux is preventing the tor (tor_t) from binding to port 9051.
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 9
Hardware: i686
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2008-07-05 10:08 UTC by John Chivall
Modified: 2008-11-17 22:05 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2008-11-17 22:05:01 UTC

Attachments (Terms of Use)

Description John Chivall 2008-07-05 10:08:21 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9) Gecko/2008061712 Fedora/3.0-1.fc9 Firefox/3.0

Description of problem:
From selinux troubleshooter:

SELinux has denied the tor from binding to a network port 9051 which does not have an SELinux type associated with it. If tor is supposed to be allowed to listen on this port, you can use the semanage command to add this port to a port type that tor_t can bind to. semanage port -l will list all port types. 
Please file a bug report against the selinux-policy package. If tor is not supposed to bind to this port, this could signal a intrusion attempt. If this system is running as an NIS Client, turning on the allow_ypbind boolean, may fix the problem. setsebool -P allow_ypbind=1. Allowing AccessIf you want to allow tor to bind to this port semanage port -a -t PORT_TYPE -p PROTOCOL 9051 Where PORT_TYPE is a type that tor_t can bind and PROTOCOL is udp or tcp. 
Additional Information
Source Context:  unconfined_u:system_r:tor_t:s0
Target Context:  system_u:object_r:port_t:s0
Target Objects:  None [ tcp_socket ]
Source:  tor
Source Path:  /usr/bin/tor
Port:  9051
Host:  localhost.localdomain
Source RPM Packages:  tor-core-
Target RPM Packages:  
Policy RPM:  selinux-policy-3.3.1-74.fc9
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  bind_ports
Host Name:  localhost.localdomain
Platform:  Linux localhost.localdomain #1 SMP Fri Jun 27 16:14:35 EDT 2008 i686 i686
Alert Count:  2
First Seen:  Wed 02 Jul 2008 11:16:04 BST
Last Seen:  Sat 05 Jul 2008 10:32:59 BST
Local ID:  2e6109d9-09ac-4c35-a8bf-ac9a9bad565d
Line Numbers:  
Raw Audit Messages :host=localhost.localdomain type=AVC msg=audit(1215250379.734:25): avc: denied { name_bind } for pid=2729 comm="tor" src=9051 scontext=unconfined_u:system_r:tor_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket host=localhost.localdomain type=SYSCALL msg=audit(1215250379.734:25): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bf817180 a2=8 a3=9ed13b0 items=0 ppid=1 pid=2729 auid=500 uid=494 gid=489 euid=494 suid=494 fsuid=494 egid=489 sgid=489 fsgid=489 tty=(none) ses=1 comm="tor" exe="/usr/bin/tor" subj=unconfined_u:system_r:tor_t:s0 key=(null)

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Edit /etc/tor/torrc to uncomment the line:
ControlPort 9051

2. (as root) service tor start

Actual Results:
Tor fails to start - cannot bind to control port
SElinux denial.

Starting tor as normal user works fine.

Expected Results:
Tor should able to bind to TCP port 9051 to listen for control messages from a local control application like Vidalia or TorK

Additional info:
Fixed the problem by:
semanage port -a -t tor_port_t -p tcp 9051

But shouldn't this be in the default policy?

Comment 1 Daniel Walsh 2008-08-01 15:21:59 UTC
Fixed in selinux-policy-3.3.1-83.fc9.noarch

Comment 2 Daniel Walsh 2008-11-17 22:05:01 UTC
Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.

Note You need to log in before you can comment on or make changes to this bug.