[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #31070 [Community/Relays]: Add information about SELinux boolean tor_can_network_relay

#31070: Add information about SELinux boolean tor_can_network_relay
-----------------------------------+----------------------------------
 Reporter:  crimson_king           |          Owner:  Nusenu
     Type:  enhancement            |         Status:  new
 Priority:  Medium                 |      Component:  Community/Relays
  Version:                         |       Severity:  Normal
 Keywords:  selinux, capabilities  |  Actual Points:
Parent ID:                         |         Points:
 Reviewer:                         |        Sponsor:
-----------------------------------+----------------------------------
 Back in 2012, a new boolean [https://github.com/fedora-selinux/selinux-
 policy-contrib/commit/e4095f3e2f067d41a07e4e28a8cdf97ff4426d8e was added]
 to simplify the setup of a Tor Relay on systems running SELinux: the
 ''tor_can_network_relay''. This boolean, when enabled (it is disabled by
 default) will automatically allow the Tor process to bind to the ports
 used by the httpd server, including ports 80 and 443. Without this, the
 tor service will fail to start using these ports.

 This boolean is not well exposed, and I had to spend quite some time
 learning to manage SELinux until I found out about it by chance. It makes
 setting up a relay on CentOS/RHEL and other distros a lot easier.

 It would be very convenient for users of this guide if we included, at the
 very least, a note that makes them aware of this boolean on systems
 running SELinux. It could be added to the
 [https://trac.torproject.org/projects/tor/wiki/TorRelayGuide/CentOSRHEL
 CentOS/RHEL specific instructions] page and perhaps within
 [https://trac.torproject.org/projects/tor/wiki/TorRelayGuide#Makesurerelayportscanbereached
 Make sure relay ports can be reached].

 The boolean can be enabled like this:

 {{{
 # setsebool -P tor_can_network_relay on
 }}}


 In addition to this, but not specifically related to Tor: the Tor
 executable needs port binding capabilities, at least on CentOS/RHEL.

 This can be set with a one-liner:

 {{{
 # setcap CAP_NET_BIND_SERVICE=+eip /usr/bin/tor
 }}}

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31070>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs