Tor denied message /etc/torrc.d/95_whonix.conf after upgrade from Whonix 13 to Whonix 14

Ok, everything went fine until final reboot.

So after starting ws-gw tor connection is off.

Some logs:

ERROR: Tor Pid Check Result:
Tor not running. (tor_pid_message: Pid file /var/run/tor/tor.pid does not exist.)
You have to fix this error, before you can use Tor.

So I checked:

ls -l /var/run/tor
total 0

ls -l /var/run/tor/tor.pida
ls: cannot access ‘/var/run/tor/tor.pid’: No such file or directory

Next (from “systemctl status tor@default.service” and “journalctl -xe”):

systemctl status tor@default.service

● tor@default.service - Anonymizing overlay network for TCP
Loaded: loaded (/lib/systemd/system/tor@default.service; static; vendor preset: enabled)
Drop-In: /lib/systemd/system/tor@default.service.d
└─40_obfs4proxy-workaround.conf, 50_controlsocket-workaround.conf
Active: failed (Result: exit-code) since Thu 2018-08-30 18:33:43 UTC; 1min 35s ago
Process: 2968 ExecStart=/usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc ----RunAsDaemon 0 (code=exited, status=1/FAILURE)
Process: 2964 ExecStartPre=/usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0 --verify-config (code=exited, status=0/SUCCESS)
Process: 2963 ExecStartPre=/usr/bin/install -Z -m 02755 -o debian-tor -g debian-tor -d /var/run/tor (code=exited, status=0/SUCCESS)
Main PID: 2968 (code=exited, status=1/FAILURE)

Aug 30 18:33:43 host systemd[1]: Failed to start Anonymizing overlay network for TCP.
Aug 30 18:33:43 host systemd[1]: tor@default.service: Unit entered failed state.
Aug 30 18:33:43 host systemd[1]: tor@default.service: Failed with result ‘exit-code’.
Aug 30 18:33:43 host systemd[1]: tor@default.service: Service hold-off time over, scheduling restart.
Aug 30 18:33:43 host systemd[1]: Stopped Anonymizing overlay network for TCP.
Aug 30 18:33:43 host systemd[1]: tor@default.service: Start request repeated too quickly.
Aug 30 18:33:43 host systemd[1]: Failed to start Anonymizing overlay network for TCP.
Aug 30 18:33:43 host systemd[1]: tor@default.service: Unit entered failed state.
Aug 30 18:33:43 host systemd[1]: tor@default.service: Failed with result ‘exit-code’.

Also (this is going on an on…):

Aug 30 18:33:42 host systemd[1]: Starting Anonymizing overlay network for TCP…
– Subject: Unit tor@default.service has begun start-up
– Defined-By: systemd
– Support: Debian -- User Support
**-- **
– Unit tor@default.service has begun starting up.
Aug 30 18:33:42 host tor[2964]: Aug 30 18:33:42.847 [notice] Tor 0.3.3.9 (git-ca1a436fa8e53a32) running on Linux with Libevent 2.0.21-stable, OpenSSL 1.1.0f, Zlib 1.2.8, Liblzma 5.2.2, and Libzstd 1.1.2.
Aug 30 18:33:42 host tor[2964]: Aug 30 18:33:42.848 [notice] Tor can’t help you if you use it wrong! Learn how to be safe at Tor Project | Download
Aug 30 18:33:42 host tor[2964]: Aug 30 18:33:42.849 [notice] Read configuration file “/usr/share/tor/tor-service-defaults-torrc”.
Aug 30 18:33:42 host tor[2964]: Aug 30 18:33:42.849 [notice] Read configuration file “/etc/tor/torrc”.
Aug 30 18:33:42 host tor[2964]: Aug 30 18:33:42.858 [warn] Option ‘DisableNetwork’ used more than once; all but the last value will be ignored.
Aug 30 18:33:42 host tor[2964]: Aug 30 18:33:42.858 [notice] You configured a non-loopback address ‘10.152.152.10:5300’ for DNSPort. This allows everybody on your local network to use your machine as a proxy. Make sure this is what you wanted.
Aug 30 18:33:42 host tor[2964]: Aug 30 18:33:42.858 [notice] You configured a non-loopback address ‘10.152.152.10:9040’ for TransPort. This allows everybody on your local network to use your machine as a proxy. Make sure this is what you wanted.
Aug 30 18:33:42 host tor[2964]: Configuration was valid
Aug 30 18:33:43 host tor[2968]: Aug 30 18:33:43.377 [notice] Tor 0.3.3.9 (git-ca1a436fa8e53a32) running on Linux with Libevent 2.0.21-stable, OpenSSL 1.1.0f, Zlib 1.2.8, Liblzma 5.2.2, and Libzstd 1.1.2.
Aug 30 18:33:43 host tor[2968]: Aug 30 18:33:43.379 [notice] Tor can’t help you if you use it wrong! Learn how to be safe at Tor Project | Download
Aug 30 18:33:43 host tor[2968]: Aug 30 18:33:43.380 [notice] Read configuration file “/usr/share/tor/tor-service-defaults-torrc”.
Aug 30 18:33:43 host tor[2968]: Aug 30 18:33:43.380 [notice] Read configuration file “/etc/tor/torrc”.
Aug 30 18:33:43 host audit[2968]: AVC apparmor=“DENIED” operation=“open” profile=“system_tor” name=“/etc/torrc.d/95_whonix.conf” pid=2968 comm=“tor” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
Aug 30 18:33:43 host audit[2968]: SYSCALL arch=40000003 syscall=5 success=no exit=-13 a0=a2ad20 a1=88000 a2=0 a3=b7278000 items=1 ppid=1 pid=2968 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=“tor” exe=“/usr/bin/tor” key=(null)
Aug 30 18:33:43 host audit: CWD cwd=“/”
Aug 30 18:33:43 host audit: PATH item=0 name=“/etc/torrc.d/95_whonix.conf” inode=3016178 dev=08:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
Aug 30 18:33:43 host audit: PROCTITLE proctitle=2F7573722F62696E2F746F72002D2D64656661756C74732D746F727263002F7573722F73686172652F746F722F746F722D736572766963652D64656661756C74732D746F727263002D66002F6574632F746F722F746F727263002D2D52756E41734461656D6F6E0030
Aug 30 18:33:43 host tor[2968]: Aug 30 18:33:43.389 [warn] Could not open “/etc/torrc.d/95_whonix.conf”: Permission denied
Aug 30 18:33:43 host tor[2968]: Aug 30 18:33:43.389 [warn] Error reading included configuration file or directory: “/etc/torrc.d/95_whonix.conf”.
Aug 30 18:33:43 host tor[2968]: Aug 30 18:33:43.389 [err] Reading config failed–see warnings above.
Aug 30 18:33:43 host systemd[1]: tor@default.service: Main process exited, code=exited, status=1/FAILURE
Aug 30 18:33:43 host audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 msg=‘unit=tor@default comm=“systemd” exe=“/lib/systemd/systemd” hostname=? addr=? terminal=? res=failed’
Aug 30 18:33:43 host systemd[1]: Failed to start Anonymizing overlay network for TCP.
– Subject: Unit tor@default.service has failed
– Defined-By: systemd
– Support: Debian -- User Support
**-- **
– Unit tor@default.service has failed.
**-- **
– The result is failed.
Aug 30 18:33:43 host systemd[1]: tor@default.service: Unit entered failed state.
Aug 30 18:33:43 host systemd[1]: tor@default.service: Failed with result ‘exit-code’.
Aug 30 18:33:43 host systemd[1]: tor@default.service: Service hold-off time over, scheduling restart.
Aug 30 18:33:43 host audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 msg=‘unit=tor@default comm=“systemd” exe=“/lib/systemd/systemd” hostname=? addr=? terminal=? res=success’
Aug 30 18:33:43 host systemd[1]: brltty.service: Cannot add dependency job, ignoring: Unit brltty.service is masked.
Aug 30 18:33:43 host audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 msg=‘unit=tor@default comm=“systemd” exe=“/lib/systemd/systemd” hostname=? addr=? terminal=? res=success’
Aug 30 18:33:43 host systemd[1]: Stopped Anonymizing overlay network for TCP.
– Subject: Unit tor@default.service has finished shutting down
– Defined-By: systemd
– Support: Debian -- User Support
**-- **
– Unit tor@default.service has finished shutting down.
Aug 30 18:33:43 host systemd[1]: tor@default.service: Start request repeated too quickly.
Aug 30 18:33:43 host systemd[1]: Failed to start Anonymizing overlay network for TCP.

I have checked network interfaces, it look ok (same as posted here).

Does your

/etc/apparmor.d/local/system_tor.anondist

and

/etc/apparmor.d/local/system_tor

Look the same? Should be. To check:

diff /etc/apparmor.d/local/system_tor /etc/apparmor.d/local/system_tor.anondist ; echo $?

Expected output: 0

Does your /etc/apparmor.d/local/system_tor look like https://raw.githubusercontent.com/Whonix/anon-gw-anonymizer-config/master/etc/apparmor.d/local/system_tor.anondist?

Yes and yes. Both files are the same, and look like the one from the link.

Have exactly same problem. How to fix it?

Hi zealot

Did you try rebooting? You can also try restarting Tor.

https://forums.whonix.org/t/error-tor-not-running-tor-pid-message-pid-file-var-run-tor-tor-pid-doest-not-exist-noob-need-help/5785

Nope, I have same result
image
Sorry, looks like virtialbox guest utils broken, so i could not copypaste logs
image
I think it is apparmor issue

Tor config wrong? Please try Configuration Check as per:

Tor - Whonix

Please watch Tor log while restarting Tor as per:

Tor - Whonix

This might give some clues what’s wrong.


There no any tor logs
image
And, i could start tor manually.

Please watch Tor log while restarting Tor as per:

Tor - Whonix

This might give some clues what’s wrong.


Weird openssl issue only.

grep -i error /var/run/tor/log

?

sudo journalctl -f

while doing this, restart Tor. That would show any apparmor related issues.


From Whonix 14 / Debian stretch AppArmor related changes

sudo cat /var/log/audit/audit.log | grep -i DENIED
grep -i error /var/run/tor/log

return no result

sudo journalctl -f


return several identical attempt to start tor

sudo cat /var/log/audit/audit.log | grep -i DENIED


I could see many messages about tor config files

Its completly look like apparmor issue

Does your /etc/apparmor.d/local/system_tor.anondist looks the same like anon-gw-anonymizer-config/system_tor.anondist at master · Whonix/anon-gw-anonymizer-config · GitHub?


Yes, completly same.

1 Like

And /etc/apparmor.d/local/system_tor also looks same?

It’s actually a symlink.

ls -la /etc/apparmor.d/local/system_tor

lrwxrwxrwx 1 root root 19 Jan 23 14:41 /etc/apparmor.d/local/system_tor → system_tor.anondist

I am just trying to figure out why that file is non-effective for you and wondering if that symlink may be broken.

Could you check please if /etc/apparmor.d/system_tor looks like this:

# vim:syntax=apparmor
#include <tunables/global>

profile system_tor flags=(attach_disconnected) {
  #include <abstractions/tor>

  owner /var/lib/tor/** rwk,
  owner /var/lib/tor/ r,
  owner /var/log/tor/* w,

  # During startup, tor (as root) tries to open various things such as
  # directories via check_private_dir().  Let it.
  /var/lib/tor/** r,

  /{,var/}run/tor/ r,
  /{,var/}run/tor/control w,
  /{,var/}run/tor/socks w,
  /{,var/}run/tor/tor.pid w,
  /{,var/}run/tor/control.authcookie w,
  /{,var/}run/tor/control.authcookie.tmp rw,
  /{,var/}run/systemd/notify w,

  # Site-specific additions and overrides. See local/README for details.
  #include <local/system_tor>
}