Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

lost network connectivity #114

Open
TidyData opened this issue Jun 24, 2022 · 1 comment
Open

lost network connectivity #114

TidyData opened this issue Jun 24, 2022 · 1 comment
Labels
known bug Bug is known or not possible to fix in udica component wontfix This will not be worked on

Comments

@TidyData
Copy link

Describe the bug
My container lost the ability to connect to the network. This occurred when making a selinux security policy to be able to mount/access host folder inside a container.

To Reproduce
Steps to reproduce the behavior:

cont_id=$(podman create --rm \
  -v /hostfolder:/containerfolder:rw \
  -p 7777:7777 \
  registry.access.redhat.com/rhel7:latest)
expected_str=$(podman inspect $cont_id | sudo udica container_mount_myhostfolder)
podman rm $cont_id
# The above lines makes a selinux process
sudo semodule -i container_mount_myhostfolder.cil /usr/share/udica/templates/{base_container.cil,net_container.cil}
# The above line installs the selinux process
# The below line runs the container with the specified selinux block
podman run -it --rm \
  --security-opt label=type:container_mount_myhostfolder.process \
  -v /hostfolder:/containerfolder:rw \
  --replace \
  --name thankyoupodmanteam \
  registry.access.redhat.com/rhel7:latest sh -c 'curl https://duckduckgo.com'

The selinux logged denial is below

sudo ausearch -m avc --start recent
 node=f.q.d.n type=AVC msg=audit(1656031606.687:43271466): avc:  denied  { name_connect } for  pid=1694771 comm="curl" dest=1234 scontext=system_u:system_r:container_mount_myhostfolder.process:s0:c328,c348 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket permissive=0

Expected behavior
I would anticipate the container be able to still connect to the network, especially if able to bind to a port.

Additional context

using audit2why I was able to deduce and contribute to the CIL file that udica outputs, but I still think udica should permit network connectivity by default as that is what I personally was intuitively expecting.

sudo ausearch -m avc --start today | audit2why
q_depth should be larger than 512 for safety margin
node=f.q.d.n type=AVC msg=audit(1656033096.558:43646554): avc:  denied  { name_connect } for  pid=1698931 comm="curl" dest=1234 scontext=system_u:system_r:container_mount_myhostfolder.process:s0:c205,c312 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket permissive=0

        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.

sudo ausearch -m avc --start today | audit2allow
q_depth should be larger than 512 for safety margin


#============= container_mount_myhostfolder.process ==============
allow container_mount_myhostfolder.process http_cache_port_t:tcp_socket name_connect;

based on the above, the selinux process I manually add in the cil file and obtained success

    (allow process http_cache_port_t ( tcp_socket (  name_connect )))

so the full successful cil file resulted in

(block container_mount_myhostfolder
    (blockinherit container)
    (blockinherit restricted_net_container)
    (allow process http_cache_port_t ( tcp_socket (  name_bind ))) 
    (allow process http_cache_port_t ( tcp_socket (  name_connect ))) 
    (allow process http_port_t ( tcp_socket (  name_bind ))) 
    (allow process default_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) 
    (allow process default_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) 
    (allow process default_t ( fifo_file ( getattr read write append ioctl lock open ))) 
    (allow process default_t ( sock_file ( append getattr open read write ))) 
)

Maybe I need to tell udica to not restrict_net_container?

    (blockinherit restricted_net_container)
@vmojzis
Copy link
Collaborator

vmojzis commented Jun 27, 2022

Hi,
yes, udica only allows name_bind on the container ports.
But you can tell it to include any AVCs you encountered in the container policy by using the "-a, --append-rule" parameter (the same that audit2allow does, only udica makes sure to only process AVCs related to your container).

As for (blockinherit restricted_net_container), blockinherit means to inherit all rules from given block. restricted_net_container is a block of rules giving restricted access to network. You could use net_conatiner instead of restricted_net_container (udica does that when "--full-network-access" parameter is used), but that would give your container way too much access.

# sesearch -A -s sandbox_net_domain -c tcp_socket ... allow container_net_domain port_type:tcp_socket { name_bind name_connect recv_msg send_msg }; ...

@vmojzis vmojzis added wontfix This will not be worked on known bug Bug is known or not possible to fix in udica component labels Apr 11, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
known bug Bug is known or not possible to fix in udica component wontfix This will not be worked on
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vmojzis @TidyData