As of 15, openstack-selinux prevents a non-root user in a container from privilege escalation. In 13 and before, openstack-selinux didn't have this functionality (that is, selinux separation wasn't possible). Updates to the policy in [1] broke 15's functionality. A non-root user in one or more RHOSP containers can send messages to the dbus. With access to the dbus, services could be started or stopped, therefore a DoS is possible.
For Comment #0: [1] https://bugzilla.redhat.com/show_bug.cgi?id=1738134 Matching BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1788561
Acknowledgments: Name: Cedric Jeanneret (Red Hat)
Created openstack-selinux tracking bugs for this issue: Affects: openstack-rdo [bug 1803657]
Mitigation: There is no known mitigation for this issue, the flaw can only be resolved by applying updates.
This issue has been addressed in the following products: Red Hat OpenStack Platform 16.1 Via RHSA-2020:4381 https://access.redhat.com/errata/RHSA-2020:4381
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-1690