[tor-bugs] #31070 [Community/Relays]: Add information about SELinux boolean tor_can_network_relay
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Jul 3 03:21:38 UTC 2019
#31070: Add information about SELinux boolean tor_can_network_relay
-----------------------------------+----------------------------------
Reporter: crimson_king | Owner: Nusenu
Type: enhancement | Status: new
Priority: Medium | Component: Community/Relays
Version: | Severity: Normal
Keywords: selinux, capabilities | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-----------------------------------+----------------------------------
Back in 2012, a new boolean [https://github.com/fedora-selinux/selinux-
policy-contrib/commit/e4095f3e2f067d41a07e4e28a8cdf97ff4426d8e was added]
to simplify the setup of a Tor Relay on systems running SELinux: the
''tor_can_network_relay''. This boolean, when enabled (it is disabled by
default) will automatically allow the Tor process to bind to the ports
used by the httpd server, including ports 80 and 443. Without this, the
tor service will fail to start using these ports.
This boolean is not well exposed, and I had to spend quite some time
learning to manage SELinux until I found out about it by chance. It makes
setting up a relay on CentOS/RHEL and other distros a lot easier.
It would be very convenient for users of this guide if we included, at the
very least, a note that makes them aware of this boolean on systems
running SELinux. It could be added to the
[https://trac.torproject.org/projects/tor/wiki/TorRelayGuide/CentOSRHEL
CentOS/RHEL specific instructions] page and perhaps within
[https://trac.torproject.org/projects/tor/wiki/TorRelayGuide#Makesurerelayportscanbereached
Make sure relay ports can be reached].
The boolean can be enabled like this:
{{{
# setsebool -P tor_can_network_relay on
}}}
In addition to this, but not specifically related to Tor: the Tor
executable needs port binding capabilities, at least on CentOS/RHEL.
This can be set with a one-liner:
{{{
# setcap CAP_NET_BIND_SERVICE=+eip /usr/bin/tor
}}}
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31070>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list