Bug 1695248
| Summary: | [stream 1.0] don't allow a container to connect to random services | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Oneata Mircea Teodor <toneata> | |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> | |
| Status: | CLOSED WONTFIX | QA Contact: | Milos Malik <mmalik> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | high | |||
| Version: | 8.0 | CC: | atomic-bugs, ddarrah, dwalsh, lfriedma, lsm5, lvrabec, mmalik, mmcgrath, plautrba, qcai, ssekidde, toneata, zpytela | |
| Target Milestone: | rc | Keywords: | Patch, Regression, Triaged, ZStream | |
| Target Release: | 8.2 | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | 1689255 | |||
| : | 1695689 1814146 (view as bug list) | Environment: | ||
| Last Closed: | 2020-03-17 07:19:57 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | 1689255 | |||
| Bug Blocks: | 1814146, 1944083 | |||
|
Comment 2
Daniel Walsh
2019-04-03 14:25:09 UTC
This is not fixed.
# rpm -q container-selinux
container-selinux-2.94-1.git1e99f1d.module+el8.0.0+2956+30df4692.noarch
# sesearch --allow | grep 'svirt_sandbox_domain unconfined_service_t'
allow svirt_sandbox_domain unconfined_service_t:fd use;
allow svirt_sandbox_domain unconfined_service_t:fifo_file { append getattr ioctl lock open read write };
allow svirt_sandbox_domain unconfined_service_t:process sigchld;
That allow rule is in selinux-policy. So I am reassigning to remove that allow rule from the selinux-policy package. This BZ is the 8.0.0 clone of 1689255, which is the 8.1 version. This issue is not fixed in 8.0.0 and is a regression which should be fixed in 8.0.0.2. REL PREP for 8.0.0.2 is Monday, Jul-22. How is this a regression? 8.0 allowed this access and it is fixed in 8.1. I don't see this as a regression. QE / CAI Qian reported this as a regression because he says "this has been fixed in RHEL7.X already, people would see this is a regression if they upgrade to RHEL8.0.z." It is fixed in a newer version of RHEL7 then RHEL8, I don't see us having to update for this case. We should just tell customer to use RHEL8.1. # sesearch -A -s container_t -p connectto
allow container_domain gssproxy_t:unix_stream_socket connectto;
allow container_domain spc_t:unix_stream_socket connectto;
allow container_domain sssd_t:unix_stream_socket connectto;
allow container_t container_t:unix_stream_socket { accept append bind connect connectto create getattr getopt ioctl listen lock map read sendto setattr setopt shutdown write };
allow domain setrans_t:unix_stream_socket connectto;
allow domain spc_t:unix_stream_socket connectto;
allow domain unconfined_service_t:unix_stream_socket { connectto getattr };
allow sandbox_net_domain sssd_t:unix_stream_socket connectto;
allow svirt_sandbox_domain spc_t:unix_stream_socket connectto;
allow svirt_sandbox_domain virtd_lxc_t:unix_stream_socket { append bind connect connectto getattr getopt ioctl lock read setattr setopt shutdown write };
allow syslog_client_type kernel_t:unix_stream_socket { connectto getattr };
allow syslog_client_type syslogd_t:unix_stream_socket connectto;
We want to cut this list down.
In a perfect world I would want spc_t and unconfined_service_t removed from this list. Understand.
This commit should be reverted:
commit 6c3a7dbea842c451689b9500be5ce8575a12e980
Author: Dan Walsh <dwalsh>
Date: Sat Feb 8 10:45:47 2014 +0100
Add unconfined_server to be run by init_t when it executes files labeled bin_t, or usr_t, allow all domains to communicate with it
That guy made a mistake... He didn't think of containers at the time. This is where we need a mechanism to take away some rights from certain domains... No problem I revert it during RHEL-8.2 devel phase ;) We could open some discussion on mailing list but from upsream I know that they don't want such a mechanism. |