-
Notifications
You must be signed in to change notification settings - Fork 45
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
udica needs to enable the container port, not the host port #62
Comments
Hi @guystreeter , I'm not sure. Reading the podman-run manpages:
In your example: 9001 is hostPort and 9090 is containerPort. I generated and loaded the policy for the container: and for me it work as expected. Inside the container, I'm listening on tcp port 9090(containerPort): on the host, I try to connect to localhost and tcp 9001(hostPort):
And It's working. |
In another window:
Stop the first container and then:
This is the file udica created:
This udica version is from updates-testing, and contains the fix for port parsing with podman 2.0.
|
Hi @guystreeter, Thanks, |
Udica should allow container port in generated policy not the host port. Resolves: containers#62
Udica should allow container port in generated policy not the host port. Resolves: #62
Describe the bug
When a container is run with a network port remapped, udica generates a policy that allows access to the host port. The container port is the one that needs to be anabled.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
The container should be able to access the port
Additional context
With
podman run -p 9001:9090 ...
, udica generates a policy with this line:(allow process tor_port_t ( tcp_socket ( name_bind )))
The container application gets a permission error accessing port 9090, and the host reports an AVC
name_bind
error on port 9090.When I change the line in the policy to:
(allow process websm_port_t ( tcp_socket ( name_bind )))
the container application can run successfully.
The text was updated successfully, but these errors were encountered: