Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

allowing port 21 also means allowing ports 989 and 990 #7

Closed
milosmalik opened this issue Feb 25, 2019 · 0 comments
Closed

allowing port 21 also means allowing ports 989 and 990 #7

milosmalik opened this issue Feb 25, 2019 · 0 comments
Assignees
@wrabcak
Labels
docs Documentation issue good first issue Good for newcomers

Comments

@milosmalik
Copy link

Describe the bug
Users of udica may be confused by the fact that allowing port 21 also means that ports 989 and 990 are allowed too, because from SELinux policy point of view they are labeled the same way: ftp_port_t.

To Reproduce
Steps to reproduce the behavior:

  1. podman run --security-opt label=type:my_container.process -v /home:/home:ro -v /var/spool:/var/spool:rw -p 21:21 -it fedora bash
  2. nc -lvp 21
  3. nc -lvp 989
  4. nc -lvp 990

Expected behavior
Documentation should contain a note about this behavior.

Additional context
Ephemeral ports (32768-61000) are allowed too unless the content of /proc/sys/net/ipv4/ip_local_port_range is changed.
@milosmalik milosmalik changed the title allowing port 21 also means allowing ports 980 and 990 allowing port 21 also means allowing ports 989 and 990 Feb 25, 2019
@wrabcak wrabcak self-assigned this Feb 25, 2019
@wrabcak wrabcak added good first issue Good for newcomers docs Documentation issue labels Feb 25, 2019
vmojzis added a commit to vmojzis/udica that referenced this issue Jun 20, 2022
@vmojzis
Document why policies may be more loose than expected
0a8cef2 
Explain the implications of generating policy based on security labels
as opposed to filesystem paths, port numbers, etc.

containers#7

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
@vmojzis vmojzis mentioned this issue Jun 20, 2022
Closed
vmojzis added a commit to vmojzis/udica that referenced this issue Jun 22, 2022
@vmojzis
Document why policies may be more loose than expected
79a163a 
Explain the implications of generating policy based on security labels
as opposed to filesystem paths, port numbers, etc.

containers#7

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
@vmojzis vmojzis closed this as completed Jun 22, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@wrabcak wrabcak

Labels
docs Documentation issue good first issue Good for newcomers
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@wrabcak @vmojzis @milosmalik