udica [options] container_name
A tool for generating SELinux security profiles for containers. The whole concept is based on the "block inheritance" feature inside the CIL intermediate language supported by the SELinux user space. The tool creates a policy which combines rules inherited from specified CIL blocks (templates) and rules discovered by inspection of the container JSON file with mount points and port definitions.
Supported Container Engines
CRI-O v1.14.10+ docker v1.13+ podman v2.0+,
- -h, --help
Show this help message and exit
- -i, --container-id ID
An ID of the running container for which should be an SELinux policy created
- -j, --json JSONFILE
Load JSON content of the inspected container from this file
- -l, --load-modules
Load templates and module created by this tool
- -c, --caps CAPS
List of capabilities, for example: "-c AUDIT_WRITE,CHOWN,DAC_OVERRIDE,FOWNER,FSETID,KILL" (mandatory to use for Docker Engine, see the Bugs section)
- -a, --append-rules FILE
Append more SELinux allow rules generated from SELinux denials in audit daemon.
- -s, --stream-connect DOMAIN
Allow container to stream connect with given SELinux domain.
- -e, --container-engine ENGINE
Specify which container engine is used for the inspected container (supports: CRI-O, docker, podman)
Allow a container full network access
Allow a container to read and write the controlling terminal
Allow a container to communicate with the X server
Allow a container to communicate with libvirt
no errors encountered.
error while parsing options.
error while getting container info.
error while creating an SELinux policy.
# cat my_con.json | udica --x-access --full-network-access my_container Creates a new SELinux policy with name my_container based on inspecting container and adding access to the X server and full network access.
Since it is not possible to detect capabilities used by a container in Docker Engine, you have to use '-c' to specify capabilities for docker container manually.
It is not possible to generate a custom local policy using the "audit2allow -M" command from AVCs where source context was generated by udica. For this purpose please use '--append-rules' option.
In some situations udica fails to identify which container engine is used, therefore "--container-engine" parameter has to be used to inform udica how JSON inspection file should be parsed.
Report bugs to <https://github.com/containers/udica/issues/>
Written by Lukas Vrabec (firstname.lastname@example.org)