GitLab

Back in 2012, a new boolean was added to simplify the setup of a Tor Relay on systems running SELinux: the tor_can_network_relay. This boolean, when enabled (it is disabled by default) will automatically allow the Tor process to bind to the ports used by the httpd server, including ports 80 and 443. Without this, the tor service will fail to start using these ports.

This boolean is not well exposed, and I had to spend quite some time learning to manage SELinux until I found out about it by chance. It makes setting up a relay on CentOS/RHEL and other distros a lot easier.

It would be very convenient for users of this guide if we included, at the very least, a note that makes them aware of this boolean on systems running SELinux. It could be added to the CentOS/RHEL specific instructions page and perhaps within Make sure relay ports can be reached.

The boolean can be enabled like this:

# setsebool -P tor_can_network_relay on

In addition to this, but not specifically related to Tor: the Tor executable needs port binding capabilities, at least on CentOS/RHEL.

This can be set with a one-liner:

# setcap CAP_NET_BIND_SERVICE=+eip /usr/bin/tor

Trac:
Username: crimson_king