Bug 1769474

Summary: Selinux won't allow SCTP communication in containers.
Product: Red Hat Enterprise Linux 8 Reporter: Federico Paolinelli <fpaoline>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.0CC: bbreard, dustymabe, fsimonce, imcleod, jligon, lvrabec, mmalik, nstielau, plautrba, ssekidde, zpytela
Target Milestone: rc   
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-11 09:42:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1769469, 1774382, 1779790, 1779794    
Bug Blocks: 1717461    

Description Federico Paolinelli 2019-11-06 17:08:45 UTC 
Description of problem:

Selinux won't allow scpt communication in containers.


How reproducible:
Always

Steps to Reproduce:

I have two containers running inside an ocp cluster trying to communicate via sctp.
On client side I execute:

[root@sctpclient-8598b85d98-rgst7 /]# sctp_test -H localhost -P 30100 -h 10.129.0.33 -p 30100 -s
remote:addr=10.129.0.33, port=rwp, family=2
local:addr=::, port=rwp, family=10
seed = 1573058364

Starting tests...
	socket(SOCK_SEQPACKET, IPPROTO_SCTP)  ->  sk=3
	bind(sk=3, [a:::,p:rwp])  --  attempt 1/10


		***bind: can not bind to :::rwp: Permission denied ****

On server side:

[root@sctpserver-86c9c56484-pwjw9 /]# sctp_test -H localhost -P 30100 -l
local:addr=::, port=rwp, family=10
seed = 1573058322

Starting tests...
	socket(SOCK_SEQPACKET, IPPROTO_SCTP)  ->  sk=3
	bind(sk=3, [a:::,p:rwp])  --  attempt 1/10


		***bind: can not bind to :::rwp: Permission denied ****

Actual results:

Output of audit2why on the host:

type=AVC msg=audit(1573057500.176:79): avc:  denied  { node_bind } for  pid=54942 comm="sctp_test" src=30100 scontext=system_u:system_r:container_t:s0:c623,c666 tcontext=system_u:object_r:node_t:s0 tclass=sctp_socket permissive=1
type=AVC msg=audit(1573057500.177:80): avc:  denied  { listen } for  pid=54942 comm="sctp_test" lport=30100 scontext=system_u:system_r:container_t:s0:c623,c666 tcontext=system_u:system_r:container_t:s0:c623,c666 tclass=sctp_socket permissive=1
type=AVC msg=audit(1573057500.177:80): avc:  denied  { module_request } for  pid=54942 comm="sctp_test" kmod="crypto-hmac(sha1)" scontext=system_u:system_r:container_t:s0:c623,c666 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=1
type=AVC msg=audit(1573058322.702:90): avc:  denied  { name_bind } for  pid=119508 comm="sctp_test" src=30100 scontext=system_u:system_r:container_t:s0:c623,c666 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=sctp_socket permissive=0
type=AVC msg=audit(1573058364.617:91): avc:  denied  { name_bind } for  pid=122764 comm="sctp_test" src=30100 scontext=system_u:system_r:container_t:s0:c146,c880 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=sctp_socket permissive=0
type=AVC msg=audit(1573058373.960:92): avc:  denied  { name_bind } for  pid=123560 comm="sctp_test" src=30100 scontext=system_u:system_r:container_t:s0:c623,c666 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=sctp_socket permissive=0

Once adding a custom policy generated via audit2allow, I still have an error on client side:

[root@sctpclient-8598b85d98-rgst7 /]# sctp_test -H localhost -P 30100 -h 10.129.0.33 -p 30100 -s
remote:addr=10.129.0.33, port=rwp, family=2
local:addr=::, port=rwp, family=10
seed = 1573058557

Starting tests...
	socket(SOCK_SEQPACKET, IPPROTO_SCTP)  ->  sk=3
	bind(sk=3, [a:::,p:rwp])  --  attempt 1/10
Client: Sending packets.(1/10)
	sendmsg(sk=3, assoc=0)    1 bytes.
	  SNDRCV(stream=0 flags=0x1 ppid=1943840389

		*** sendmsg: Permission denied ***

Resulted by the subsequent filter on the host:

type=AVC msg=audit(1573058557.794:95): avc:  denied  { name_connect } for  pid=137935 comm="sctp_test" dest=30100 scontext=system_u:system_r:container_t:s0:c146,c880 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=sctp_socket permissive=0


After re-generating the custom policy adding this last one, the client and the server are able to communicate.


Expected results:

Works with no need to add custom selinux policy
Comment 1 Micah Abbott 2019-11-07 14:54:38 UTC 
RHCOS ships the same SELinux policy as used in RHEL 8.  Does this tests work with a regular RHEL 8 host?
Comment 2 Federico Paolinelli 2019-11-07 15:08:37 UTC 
Did not have the chance to try it (yet), I only saw it on a OCP 4.3 platform using pods.
Comment 3 Ben Breard 2019-11-07 15:10:47 UTC 
Seems like we should move this to the selinux-policy package.
Comment 4 Lukas Vrabec 2019-11-11 09:42:57 UTC 

*** This bug has been marked as a duplicate of bug 1769469 ***