RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1695248 - [stream 1.0] don't allow a container to connect to random services
Summary: [stream 1.0] don't allow a container to connect to random services
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.0
Hardware: All
OS: Linux
high
medium
Target Milestone: rc
: 8.2
Assignee: Zdenek Pytela
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On: 1689255
Blocks: 1814146 1944083
TreeView+ depends on / blocked
 
Reported: 2019-04-02 17:52 UTC by Oneata Mircea Teodor
Modified: 2021-03-29 09:20 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1689255
: 1695689 1814146 (view as bug list)
Environment:
Last Closed: 2020-03-17 07:19:57 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Comment 2 Daniel Walsh 2019-04-03 14:25:09 UTC 
Fixed in container-selinux 2.94
Comment 5 Qian Cai 2019-07-10 14:56:32 UTC 
This is not fixed.

# rpm -q container-selinux
container-selinux-2.94-1.git1e99f1d.module+el8.0.0+2956+30df4692.noarch

# sesearch --allow | grep 'svirt_sandbox_domain unconfined_service_t'
allow svirt_sandbox_domain unconfined_service_t:fd use;
allow svirt_sandbox_domain unconfined_service_t:fifo_file { append getattr ioctl lock open read write };
allow svirt_sandbox_domain unconfined_service_t:process sigchld;
Comment 7 Daniel Walsh 2019-07-11 17:12:57 UTC 
That allow rule is in selinux-policy.  So I am reassigning to remove that allow rule from the selinux-policy package.
Comment 9 Laurie Friedman 2019-07-18 03:09:46 UTC 
This BZ is the 8.0.0 clone of 1689255, which is the 8.1 version.
This issue is not fixed in 8.0.0 and is a regression which should be fixed in 8.0.0.2.  REL PREP for 8.0.0.2 is Monday, Jul-22.
Comment 10 Daniel Walsh 2019-07-18 10:00:10 UTC 
How is this a regression?  8.0 allowed this access and it is fixed in 8.1.  I don't see this as a regression.
Comment 12 Laurie Friedman 2019-07-19 05:18:11 UTC 
QE / CAI Qian reported this as a regression because he says "this has been fixed in RHEL7.X already, people would see this is a regression if they upgrade to RHEL8.0.z."
Comment 13 Daniel Walsh 2019-07-19 10:18:44 UTC 
It is fixed in a newer version of RHEL7 then RHEL8, I don't see us having to update for this case.  We should just tell customer to use RHEL8.1.
Comment 20 Daniel Walsh 2019-08-27 12:09:32 UTC 
# sesearch -A -s container_t -p connectto
allow container_domain gssproxy_t:unix_stream_socket connectto;
allow container_domain spc_t:unix_stream_socket connectto;
allow container_domain sssd_t:unix_stream_socket connectto;
allow container_t container_t:unix_stream_socket { accept append bind connect connectto create getattr getopt ioctl listen lock map read sendto setattr setopt shutdown write };
allow domain setrans_t:unix_stream_socket connectto;
allow domain spc_t:unix_stream_socket connectto;
allow domain unconfined_service_t:unix_stream_socket { connectto getattr };
allow sandbox_net_domain sssd_t:unix_stream_socket connectto;
allow svirt_sandbox_domain spc_t:unix_stream_socket connectto;
allow svirt_sandbox_domain virtd_lxc_t:unix_stream_socket { append bind connect connectto getattr getopt ioctl lock read setattr setopt shutdown write };
allow syslog_client_type kernel_t:unix_stream_socket { connectto getattr };
allow syslog_client_type syslogd_t:unix_stream_socket connectto;

We want to cut this list down.
Comment 21 Daniel Walsh 2019-08-27 12:11:24 UTC 
In a perfect world I would want spc_t and unconfined_service_t removed from this list.
Comment 22 Lukas Vrabec 2019-08-27 13:44:34 UTC 
Understand. 

This commit should be reverted:
commit 6c3a7dbea842c451689b9500be5ce8575a12e980
Author: Dan Walsh <dwalsh>
Date:   Sat Feb 8 10:45:47 2014 +0100

    Add unconfined_server to be run by init_t when it executes files labeled bin_t, or usr_t, allow all domains to communicate with it
Comment 23 Daniel Walsh 2019-08-27 14:43:46 UTC 
That guy made a mistake...  He didn't think of containers at the time.

This is where we need a mechanism to take away some rights from certain domains...
Comment 24 Lukas Vrabec 2019-08-27 18:08:26 UTC 
No problem I revert it during RHEL-8.2 devel phase ;) 

We could open some discussion on mailing list but from upsream I know that they don't want such a mechanism.
Note You need to log in before you can comment on or make changes to this bug.