Tor.service fail to start on Silverblue (F39)

Hi everyone, I have this issue with the Tor service:

[~]$ sudo systemctl status tor.service
× tor.service - Anonymizing overlay network for TCP
     Loaded: loaded (/usr/lib/systemd/system/tor.service; enabled; preset: disabled)
    Drop-In: /usr/lib/systemd/system/service.d
             └─10-timeout-abort.conf
     Active: failed (Result: exit-code) since Mon 2023-12-11 10:37:27 CET; 2min 41s ago
    Process: 24605 ExecStartPre=/usr/bin/tor --runasdaemon 0 --defaults-torrc /usr/share/tor/defaults-torrc -f /etc/tor/torrc --verify-config (code=exited, status=1/FAILURE)
        CPU: 35ms

dic 11 10:37:27 matebook systemd[1]: tor.service: Scheduled restart job, restart counter is at 5.
dic 11 10:37:27 matebook systemd[1]: tor.service: Start request repeated too quickly.
dic 11 10:37:27 matebook systemd[1]: tor.service: Failed with result 'exit-code'.
dic 11 10:37:27 matebook systemd[1]: Failed to start tor.service - Anonymizing overlay network for TCP.

Fails also when trying to restart with: sudo systemctl restart tor.service

If I start it manually from the terminal using sudo -u toranon tor, it starts properly.

Does anyone else have this issue?

Check the output:

grep -v -e "^#" -e "^$" /etc/tor/torrc
journalctl --no-pager -b -u tor.service
journalctl --no-pager -b -g avc:

Hi, here’s the output of the commands:

[~]$ grep -v -e "^#" -e "^$" /etc/tor/torrc
ControlSocket /run/tor/control
ControlSocketsGroupWritable 1
CookieAuthentication 1
CookieAuthFile /run/tor/control.authcookie
CookieAuthFileGroupReadable 1
[~]$ journalctl --no-pager -b -u tor.service
dic 11 09:20:57 matebook systemd[1]: Starting tor.service - Anonymizing overlay network for TCP...
dic 11 09:20:57 matebook tor[3017]: Dec 11 09:20:57.093 [notice] Tor 0.4.8.9 running on Linux with Libevent 2.1.12-stable, OpenSSL 3.1.1, Zlib 1.2.13, Liblzma 5.4.4, Libzstd 1.5.5 and Glibc 2.38 as libc.
dic 11 09:20:57 matebook tor[3017]: Dec 11 09:20:57.093 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://support.torproject.org/faq/staying-anonymous/
dic 11 09:20:57 matebook tor[3017]: Dec 11 09:20:57.093 [notice] Read configuration file "/usr/share/tor/defaults-torrc".
dic 11 09:20:57 matebook tor[3017]: Dec 11 09:20:57.093 [notice] Read configuration file "/etc/tor/torrc".
dic 11 09:20:57 matebook tor[3017]: Dec 11 09:20:57.097 [warn] Directory /var/lib/tor/keys cannot be read: Permission denied
dic 11 09:20:57 matebook tor[3017]: Dec 11 09:20:57.097 [warn] Failed to parse/validate config: Couldn't access private data directory "/var/lib/tor/keys"
dic 11 09:20:57 matebook tor[3017]: Dec 11 09:20:57.097 [err] Reading config failed--see warnings above.
dic 11 09:20:57 matebook systemd[1]: tor.service: Control process exited, code=exited, status=1/FAILURE
dic 11 09:20:57 matebook systemd[1]: tor.service: Failed with result 'exit-code'.
dic 11 09:20:57 matebook systemd[1]: Failed to start tor.service - Anonymizing overlay network for TCP.

-- repeated --

[~]$ journalctl --no-pager -b -g avc:
-- No entries --

Yes. I am having the same issue in Silverblue. Could be related to SELinux. I have raised a bug here

https://bugzilla.redhat.com/show_bug.cgi?id=2252618

DO NOT RUN TOR AS ROOT. Correct workaround is to change ownership of /var/lib/tor back to toranon user.

> cd /var/lib/tor/
> chown toranon:toranon *
> systemctl start tor

Thanks, I fixed.

The issue is that the UID doesn’t match the one in passwd (getent passwd)

toranon:x:972:968:Tor anonymizing user:/var/lib/tor:/sbin/nologin
[~]$ sudo ls -lhR /var/lib/tor
/var/lib/tor:
totale 34M
-rw-------. 1 968 toranon  18K 24 nov 09.16 cached-certs
-rw-------. 1 968 toranon 2,7M 30 nov 12.11 cached-microdesc-consensus
-rw-------. 1 968 toranon  22M 24 nov 09.46 cached-microdescs
-rw-------. 1 968 toranon 8,9M 30 nov 09.33 cached-microdescs.new
drwx------. 1 968 toranon    0 20 apr  2023 keys
-rw-------. 1 968 toranon    0 30 nov 09.31 lock
-rw-------. 1 968 toranon  18K  2 dic 21.52 state

I changed permission to entire folder, because the group was root.

sudo chown -R toranon:toranon /var/lib/tor

Now it works fine. :grin:

This looks a lot like Move away from nss-altfiles (was: Messed up permissions in /var) · Issue #362 · fedora-silverblue/issue-tracker · GitHub, which has a workaround in Move away from nss-altfiles (was: Messed up permissions in /var) · Issue #362 · fedora-silverblue/issue-tracker · GitHub.

Somehow it appears that the uid and gid were switched between the user creation in /etc/passwd and maybe that in /etc/group as well as that used for the directory ownership. Installing the package seems to have had a problem.

Glad you found it and the workaround.