search

containers / udica

This repository contains a tool for generating SELinux security profiles for containers
GNU General Public License v3.0
478 stars 47 forks source link

generated policy does not enable published ports #60

Closed guystreeter closed 4 years ago

guystreeter commented 4 years ago

Describe the bug I created a rootless pod for an application that listens on 9000 and 3483 tcp, and 3483 udp. Using the policy generated by udica, I get name_bind denials on all 3 ports.

To Reproduce

$ podman run \
    -d \
    --name lms \
    -p 9000:9000 \
    -p 3483:3483 \
    -p 3483:3483/udp \
    -v ~/squeezebox:/srv/squeezebox:Z \
    -v ~/Music:/srv/music \
    localhost/lmsserver
$ podman inspect lms | sudo udica lms_policy
$ sudo semodule -i lms_policy.cil /usr/share/udica/templates/{base_container.cil,net_container.cil}
$ podman run \
    -d \
    --name lms \
    -p 9000:9000 \
    -p 3483:3483 \
    -p 3483:3483/udp \
    -v ~/squeezebox:/srv/squeezebox:Z \
    -v ~/Music:/srv/music \
    --security-opt label=type:lms_policy.process \
    localhost/lmsserver

Expected behavior The application should be able to listen on the published ports

Additional context This is the generated policy:

(block lms_policy
    (blockinherit container)
    (blockinherit restricted_net_container)
    (allow process process ( capability ( audit_write chown dac_override fowner fsetid kill mknod net_bind_service net_raw setfcap setgid setpcap setuid sys_chroot ))) 

    (allow process user_home_t ( dir ( open read getattr lock search ioctl add_name remove_name write ))) 
    (allow process user_home_t ( file ( getattr read write append ioctl lock map open create  ))) 
    (allow process user_home_t ( sock_file ( getattr read write append open  ))) 
    (allow process audio_home_t ( dir ( open read getattr lock search ioctl add_name remove_name write ))) 
    (allow process audio_home_t ( file ( getattr read write append ioctl lock map open create  ))) 
    (allow process audio_home_t ( sock_file ( getattr read write append open  )))

These are the AVC messages:

time->Sun Jul 26 20:28:57 2020
type=AVC msg=audit(1595813337.948:433): avc:  denied  { name_bind } for  pid=139206 comm=squeezeboxserve src=3483 scontext=system_u:system_r:lms_policy.process:s0:c258,c933 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket permissive=0
----
time->Sun Jul 26 20:41:41 2020
type=AVC msg=audit(1595814101.696:458): avc:  denied  { name_bind } for  pid=139590 comm=nc src=9000 scontext=system_u:system_r:lms_policy.process:s0:c403,c885 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=0
----
time->Sun Jul 26 21:06:31 2020
type=AVC msg=audit(1595815591.384:549): avc:  denied  { name_bind } for  pid=140806 comm=squeezeboxserve src=3483 scontext=system_u:system_r:lms_policy.process:s0:c7,c498 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0
----

Re-running udica with these messages adds these lines to the policy:

    (allow process unreserved_port_t ( udp_socket ( name_bind ))) 
    (allow process http_port_t ( tcp_socket ( name_bind ))) 
    (allow process unreserved_port_t ( tcp_socket ( name_bind )))

With this revised policy, the application can operate successfully.

wrabcak commented 4 years ago

Hi @guystreeter,

Can you share version of podman and udica?

It looks like there is change in podman between 1.9 and 2.0.

@rhatdan, Is there any change in inspect json output?

Thanks, Lukas.

guystreeter commented 4 years ago 
podman-2.0.3-1.fc32.x86_64
udica-0.2.1-2.fc32.noarch
rhatdan commented 4 years ago

Could be, some fields were changed to better match the inspect in Docker.

guystreeter commented 4 years ago

I tried adding "-e docker" and it looks like it enabled the ports. I'll test it later.

guystreeter commented 4 years ago

I tried the new policy generated with "-e docker" and it is working.