search

containers / udica

This repository contains a tool for generating SELinux security profiles for containers
GNU General Public License v3.0
479 stars 47 forks source link

udica cannot use the container ID once it is provided #10

Closed milosmalik closed 5 years ago

milosmalik commented 5 years ago

Describe the bug Help message of udica contains: -i CONTAINERID, --container-id CONTAINERID Running container ID

but udica still needs a docker file or directory.

To Reproduce Steps to reproduce the behavior:

ps -efZ | grep mycontainer

unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 root 7712 6221 0 09:46 pts/0 00:00:00 podman run --security-opt label=type:mycontainer.process -v /home:/home:ro -v /var/spool:/var/spool:rw -p 21:21 -it fedora bash system_u:system_r:mycontainer.process:s0:c62,c167 root 7801 7791 0 09:46 pts/0 00:00:00 bash unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 7900 7525 0 09:53 pts/1 00:00:00 grep --color=auto mycontainer

podman ps

CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 063c3ef6f436 docker.io/library/fedora:latest bash 7 minutes ago Up 7 minutes ago 0.0.0.0:21->21/tcp sad_mahavira

udica -i 063c3ef6f436 mycontainer

Traceback (most recent call last): File "/usr/local/bin/udica", line 11, in load_entry_point('udica==0.1.1', 'console_scripts', 'udica')() File "/usr/local/lib/python3.6/site-packages/udica-0.1.1-py3.6.egg/udica/main.py", line 56, in main File "/usr/lib64/python3.6/subprocess.py", line 287, in call with Popen(*popenargs, **kwargs) as p: File "/usr/lib64/python3.6/subprocess.py", line 729, in init restore_signals, start_new_session) File "/usr/lib64/python3.6/subprocess.py", line 1364, in _execute_child raise child_exception_type(errno_num, err_msg, err_filename) FileNotFoundError: [Errno 2] No such file or directory: 'docker': 'docker' #

Expected behavior Either the container ID is sufficient for udica to work successfully, or documentation should advise users to create the 'docker' file or directory.

milosmalik commented 5 years ago

tested on RHEL-8.0

wrabcak commented 5 years ago

Hi @milosmalik, I pushed fix for this ticket, could you plese verify it?

Thanks, Lukas.

milosmalik commented 5 years ago

The issue is fixed.

# rm -f my_container.cil
# which docker
/usr/bin/which: no docker in (/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin)`
# podman ps
CONTAINER ID  IMAGE                            COMMAND  CREATED        STATUS            PORTS               NAMES
f6399e158967  docker.io/library/fedora:latest  bash     2 minutes ago  Up 2 minutes ago  0.0.0.0:21->21/tcp  silly_bhabha
# udica -i f6399e158967 my_container

Policy my_container created!

Please load these modules using: 
# semodule -i my_container.cil /usr/share/udica/templates/{base_container.cil,net_container.cil,home_container.cil}

Restart the container with: "--security-opt label=type:my_container.process" parameter
# ls -l my_container.cil 
-rw-r--r--. 1 root root 28332 Feb 26 03:32 my_container.cil
#
wrabcak commented 5 years ago

Great, Thanks!