udica - Man Page

a tool for generating SELinux security profiles for containers.

Synopsis

udica [options] container_name

Description

A tool for generating SELinux security profiles for containers. The whole concept is based on the "block inheritance" feature inside the CIL intermediate language supported by the SELinux user space. The tool creates a policy which combines rules inherited from specified CIL blocks (templates) and rules discovered by inspection of the container JSON file with mount points and port definitions.

Supported Container Engines

CRI-O v1.14.10+ docker v1.13+ podman v2.0+,

Options

-h,  --help

Show this help message and exit

-i,  --container-id ID

An ID of the running container for which should be an SELinux policy created

-j,  --json JSONFILE

Load JSON content of the inspected container from this file

-l,  --load-modules

Load templates and module created by this tool

-c,  --caps CAPS

List of capabilities, for example: "-c AUDIT_WRITE,CHOWN,DAC_OVERRIDE,FOWNER,FSETID,KILL" (mandatory to use for Docker Engine, see the Bugs section)

--devices DEVS

List of devices the container should have access to, e.g "--devices /dev/dri/card0,/dev/dri/renderD128" (overrides devices specified in the conatiner JSON)

-a,  --append-rules FILE

Append more SELinux allow rules generated from SELinux denials in audit daemon.

-s,  --stream-connect DOMAIN

Allow container to stream connect with given SELinux domain.

-e,  --container-engine ENGINE

Specify which container engine is used for the inspected container (supports: CRI-O, docker, podman)

--full-network-access

Allow a container full network access

--tty-access

Allow a container to read and write the controlling terminal

--X-access

Allow a container to communicate with the X server

--virt-access

Allow a container to communicate with libvirt

Exit Status

0

no errors encountered.

1

other errors.

2

error while parsing options.

3

error while getting container info.

4

error while creating an SELinux policy.

Examples

# cat my_con.json | udica --x-access --full-network-access my_container
Creates a new SELinux policy with name my_container based on inspecting container and adding access to the X server and full network access.

See Also

selinux(8), podman(1)

Bugs

Since it is not possible to detect capabilities used by a container in Docker Engine, you have to use '-c' to specify capabilities for docker container manually.

It is not possible to generate a custom local policy using the "audit2allow -M" command from AVCs where source context was generated by udica. For this purpose please use '--append-rules' option.

In some situations udica fails to identify which container engine is used, therefore "--container-engine" parameter has to be used to inform udica how JSON inspection file should be parsed.

Reporting Bugs

Report bugs to <https://github.com/containers/udica/issues/>

Author

Written by Lukas Vrabec (lvrabec@redhat.com)

Info

17 February 2019 1.1 udica man page