Skip to content

SELinux is preventing listen access on the tcp_socket port None. #377

New issue
New issue
Open
Open
SELinux is preventing listen access on the tcp_socket port None.#377
@septatrix

Description

@septatrix
septatrix
opened on May 12, 2025

Podman supports passing an opened socket to the container via inherited file descriptors. However, calling listen on this FD always fails.

Reproducer:

// main.c
#include <sys/socket.h>

int main(void) {
    // listen on passed FD 3, backlog value taken from Node.jS
    return listen(3, /*backlog=*/ 511);
}

Compile with gcc and adjust type:

gcc main.c && chcon --type bin_t ./a.out

Start with systemd-socket-activate (passes the socket as FD 3) and set context to container_t and in another terminal run curl localhost:8080

# terminal 1
systemd-socket-activate --listen=8080 -- runcon -t container_t strace -e %net ./a.out
# terminal 2
curl localhost:8080

For another reproducer using Node.js see fedora-selinux/selinux-policy#2682

Log message from SELinux troubleshooter

SELinux is preventing a.out from listen access on the tcp_socket port None.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that a.out should be allowed listen access on the port None tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'a.out' --raw | audit2allow -M my-aout
# semodule -X 300 -i my-aout.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:container_t:s0-
                              s0:c0.c1023
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-
                              s0:c0.c1023
Target Objects                port None [ tcp_socket ]
Source                        a.out
Source Path                   a.out
Port                          <Unknown>
Host                          Framework-13-AMD
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-41.39-1.fc42.noarch
Local Policy RPM              selinux-policy-targeted-41.39-1.fc42.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     Framework-13-AMD
Platform                      Linux Framework-13-AMD 6.14.5-300.fc42.x86_64 #1
                              SMP PREEMPT_DYNAMIC Fri May  2 14:16:46 UTC 2025
                              x86_64
Alert Count                   1
First Seen                    2025-05-12 19:38:33 CEST
Last Seen                     2025-05-12 19:38:33 CEST
Local ID                      532f6634-794b-41b8-a458-f162a1c290b7

Raw Audit Messages
type=AVC msg=audit(1747071513.860:1491): avc:  denied  { listen } for  pid=37950 comm="a.out" lport=8080 scontext=unconfined_u:unconfined_r:container_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=tcp_socket permissive=0


Hash: a.out,container_t,unconfined_t,tcp_socket,listen

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions