Ports and selinux
I struggled to start a pod with a container, which binds to port 8181. It fails to bind this port and never started.
type=AVC msg=audit(1578260727.872:871): avc: denied { name_bind } for pid=5450 comm="ticker" src=8181 scontext=system_u:system_r:httpd_container_rw_content.process:s0:c32,c925 tcontext=system_u:object_r:intermapper_port_t:s0 tclass=tcp_socket permissive=0
Currently the selinux policy (http_container_rw_content.sli) allows the containers to bind to 80, 8080 and all unreserved ports (for all reserved port semanage port -l
). But its very unclear which port are unreserved. So why we limit the ports a container can bind?
For containers with a published port that policy make sense (f.e. wkd-svr). Here actually a port is published to the network. But for containers in a pod with socat this makes not that much sense. The container binds the port just inside the pod network. So it can't bind to an already used port.
Should we use a different se-policy for container which publish a port and those who just bind inside a pod-network? Or should we just document this behavior and give some advise on which portrange a container can bind without problems?