[tor-bugs] #18370 [Tor]: Apparmor prevents last tor build from starting

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Feb 23 15:32:51 UTC 2016 

#18370: Apparmor prevents last tor build from starting
--------------------------+------------------------------------
 Reporter:  Ricky_Martin  |          Owner:
     Type:  defect        |         Status:  new
 Priority:  Medium        |      Milestone:  Tor: 0.2.8.x-final
Component:  Tor           |        Version:  Tor: 0.2.8.1-alpha
 Severity:  Normal        |     Resolution:
 Keywords:                |  Actual Points:
Parent ID:                |         Points:
  Sponsor:                |
--------------------------+------------------------------------

Comment (by Ricky_Martin):

 Replying to [comment:6 lunar]:
 > In `/etc/apparmor.d/system_tor`, change the following line:
 > {{{owner /varlib/tor/** rwk,}}}
 > by:
 > {{{/var/lib/tor/** rwk,}}}
 > and the service should start.
 >
 > I think the changes related to `DataDirectory` handling make that it's
 read before switching the user to `debian-tor`, hence AppArmor denied the
 read.
 I tried it but issue remains after apparmor profile reload.

 Replying to [comment:5 weasel]:
 > Please answer all of the following questions (some of them nick asked
 previously, and you didn't answer them then)
 >
 > * which OS
 > * which kernel
 > * on what kind of system (hw/vps/..)
 > * how are you starting tor
 > * what does "service tor status" say
 > * what does "service tor at default status" say
 > * Please argue your drive-by comment that claims tor-service-defaults-
 torrc-instances "can be totally removed from package".
 Line provided above already includes OS (trusty - Ubuntu 14.04) and
 possible kernels: since trusty supports only 3 kernel versions now but in
 contents of fast security support only two, LTS hw stack from wily and
 default trusty 3.13.x kernel. Forgive me my rudeness, but its obvious that
 problem related to current apparmor profile and abstractions provided with
 package.
 And kernel version makes no sense at all here. But its quite strange that
 same binary wants extra permissions, but using the same starting options
 from tor-service-defaults-torrc, init.d file remains the same too. And it
 makes no difference here at all starting tor using /etc/init.d/tor or
 using 'service' command. Since tor status will be always "not running"
 since apparmor prevents tor from starting. And tor-service-defaults-torrc-
 instances is just a dump file now, since all logic included in tor-
 service-defaults-tor file.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18370#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list