Opened 13 months ago

Last modified 9 months ago

#31070 new enhancement

Add information about SELinux boolean tor_can_network_relay

Reported by: crimson_king Owned by:
Priority: Medium Milestone:
Component: Community/Relays Version:
Severity: Normal Keywords: selinux, capabilities
Cc: nusenu, ggus Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


Back in 2012, a new boolean was added to simplify the setup of a Tor Relay on systems running SELinux: the tor_can_network_relay. This boolean, when enabled (it is disabled by default) will automatically allow the Tor process to bind to the ports used by the httpd server, including ports 80 and 443. Without this, the tor service will fail to start using these ports.

This boolean is not well exposed, and I had to spend quite some time learning to manage SELinux until I found out about it by chance. It makes setting up a relay on CentOS/RHEL and other distros a lot easier.

It would be very convenient for users of this guide if we included, at the very least, a note that makes them aware of this boolean on systems running SELinux. It could be added to the CentOS/RHEL specific instructions page and perhaps within Make sure relay ports can be reached.

The boolean can be enabled like this:

# setsebool -P tor_can_network_relay on

In addition to this, but not specifically related to Tor: the Tor executable needs port binding capabilities, at least on CentOS/RHEL.

This can be set with a one-liner:

# setcap CAP_NET_BIND_SERVICE=+eip /usr/bin/tor

Child Tickets

Change History (4)

comment:1 Changed 13 months ago by crimson_king

In addition, for exit relays we often serve a page explaining what Tor is. In order for the Tor process to have read access to this file and be able to serve it, we must setup the SELinux context for such file.

This is how we do this. The flag -a means add. The flag -e copies the context from the torrc file and assigns it to the html file.

# semanage fcontext -a -e /etc/tor/torrc /etc/tor/tor-exit-notice.html

But in order for that to have any effect, restorecon needs to be executed on the html file. It will save the changes permanently.

# restorecon -v /etc/tor/tor-exit-notice.html

Then the Tor service needs to be restarted/reloaded.

comment:2 Changed 13 months ago by nusenu

thanks for your suggestion
but setting this SELinux boolean is not needed in the context of the CentOS guide because we specifically set the ORPort to 9001 that works out of the box and does not require any SELinux changes.

The relay guide aims to provide a simple setup which requires minimal effort and does not cover multiple different options.

With regards to the exit notice html file:
I would suggest to bring this to the attention of the maintainer of the EPEL tor package, so

  • the file is shipped by default
  • has the proper SELinux context

and then we can point to the file that works out of the box.

comment:3 Changed 9 months ago by nusenu

Owner: Nusenu deleted
Status: newassigned

comment:4 Changed 9 months ago by nusenu

Status: assignednew
Note: See TracTickets for help on using tickets.