Building a Tor Hidden Service From Scratch - SELinux
On a system with SELinux, upon attempting to start Tor, you may see errors similar to the following
[root@localhost tor]# service tor start Raising maximum number of filedescriptors (ulimit -n) to 16384. Starting tor: Apr 02 15:53:14.041 [notice] Tor v0.2.5.11 (git-83abe94c0ad5e92b) running on Linux with Libevent 1.4.13-stable, OpenSSL 1.0.1e-fips and Zlib 1.2.3. Apr 02 15:53:14.042 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning Apr 02 15:53:14.042 [notice] Read configuration file "/etc/tor/tor-rpm-defaults-torrc". Apr 02 15:53:14.042 [notice] Read configuration file "/etc/tor/torrc". Apr 02 15:53:14.056 [notice] Opening Socks listener on 127.0.0.1:8080 Apr 02 15:53:14.057 [warn] Could not bind to 127.0.0.1:8080: Permission denied Apr 02 15:53:14.058 [notice] Opening DNS listener on 127.0.0.1:54 Apr 02 15:53:14.060 [warn] Could not bind to 127.0.0.1:54: Permission denied Apr 02 15:53:14.060 [notice] Opening Transparent pf/netfilter listener on 127.0.0.1:9040 Apr 02 15:53:14.062 [warn] Could not bind to 127.0.0.1:9040: Permission denied Apr 02 15:53:14.062 [warn] Failed to parse/validate config: Failed to bind one of the listener ports. Apr 02 15:53:14.062 [err] Reading config failed--see warnings above. /usr/bin/torctl start: tor could not be started
Which is almost certainly the result of a selinux policy
[root@localhost tor]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted
There should be a Tor type within selinux, so rather than disabling completely, we'll just tell selinux to be permissive
[root@localhost tor]# yum install policycoreutils-python [root@localhost tor]# semanage permissive -a tor_t
Alternatively, to make selinux enforce, but to instead allow tor to bind to non-reserved ports
[root@localhost tor]# semanage permissive -d tor_t # Undo the change we made above [root@localhost tor]# setsebool -P tor_bind_all_unreserved_ports 1
The latter approach will not help if you've told Tor to bind to a reserved port (for example if DNS is set to bind to port 53). In the example output above, Tor had been configured to bind it's DNS services to port 54, so simply allowing tor to bind to unreserved ports would be insufficient.
Note: The ports you configure for hidden services do not need to be taken into account, as Tor does not actually bind to these ports, it simply interprets traffic received via the Tor connection and acts appropriately. Followed by starting Tor
[root@localhost tor]# service tor start