udica needs to enable the container port, not the host port

[guystreeter]

Describe the bug
When a container is run with a network port remapped, udica generates a policy that allows access to the host port. The container port is the one that needs to be anabled.

To Reproduce
Steps to reproduce the behavior:

1. run a container with a remapped port.
2. generate a policy for the container with udica
3. run the container with the new policy

Expected behavior
The container should be able to access the port

Additional context
With podman run -p 9001:9090 ..., udica generates a policy with this line:

(allow process tor_port_t ( tcp_socket ( name_bind )))

The container application gets a permission error accessing port 9090, and the host reports an AVC name_bind error on port 9090.
When I change the line in the policy to:

(allow process websm_port_t ( tcp_socket ( name_bind )))

the container application can run successfully.

[wrabcak]

Hi @guystreeter ,

I'm not sure. Reading the podman-run manpages:

$ man podman-run
 --publish, -p=ip:hostPort:containerPort | ip::containerPort |  hostPort:containerPort  |  con‐
       tainerPort

In your example: 9001 is hostPort and 9090 is containerPort.

I generated and loaded the policy for the container:
$ podman run -it --security-opt label=type:testport.process -p 9001:9090 fedora /bin/bash

and for me it work as expected. Inside the container, I'm listening on tcp port 9090(containerPort):
[root@8e96bd992d76 /]# dnf install /usr/bin/nc -y; nc -lvp 9090

on the host, I try to connect to localhost and tcp 9001(hostPort):

$ telnet localhost 9001                        
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.

And It's working.

[guystreeter]

$ podman run -it -p 9001:9090 fedora /bin/bash
# dnf install -y nc
# nc -lvp 9090
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::9090
Ncat: Listening on 0.0.0.0:9090

In another window:

$ podman inspect -l | sudo udica testport

Policy testport created!

Please load these modules using: 
# semodule -i testport.cil /usr/share/udica/templates/{base_container.cil,net_container.cil}

Restart the container with: "--security-opt label=type:testport.process" parameter
$ sudo semodule -i testport.cil /usr/share/udica/templates/{base_container.cil,net_container.cil}

Stop the first container and then:

$ podman run -it --security-opt label=type:testport.process -p 9001:9090 fedora /bin/bash
# dnf install -y nc
# nc -lvp 9090
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: bind to :::9090: Permission denied. QUITTING.

This is the file udica created:

$ cat testport.cil 
(block testport
    (blockinherit container)
    (blockinherit restricted_net_container)
    (allow process process ( capability ( audit_write chown dac_override fowner fsetid kill mknod net_bind_service net_raw setfcap setgid setpcap setuid sys_chroot ))) 

    (allow process tor_port_t ( tcp_socket (  name_bind ))) 

podman-2.0.4-1.fc32.x86_64
udica-0.2.2-1.fc32.noarch

This udica version is from updates-testing, and contains the fix for port parsing with podman 2.0.

$ getenforce
Enforcing
$ sudo ausearch -m avc --start recent
----
time->Tue Aug 11 10:24:16 2020
type=AVC msg=audit(1597159456.863:1097): avc:  denied  { name_bind } for  pid=54500 comm="nc" src=9090 scontext=system_u:system_r:testport.process:s0:c677,c951 tcontext=system_u:object_r:websm_port_t:s0 tclass=tcp_socket permissive=0

[wrabcak]

Hi @guystreeter,
You're right, I'll look on it tomorrow and prepare patches.

Thanks,
Lukas.