search

containers / udica

This repository contains a tool for generating SELinux security profiles for containers
GNU General Public License v3.0
478 stars 47 forks source link

CentOS Stream 8, udica returns errors when building CIL... #103

Closed byte13 closed 2 years ago

byte13 commented 2 years ago

Describe the bug When running udica, the following error is returned : Traceback (most recent call last): File "/usr/bin/udica", line 11, in load_entry_point('udica==0.2.6', 'console_scripts', 'udica')() File "/usr/lib/python3.6/site-packages/udica/main.py", line 216, in main container_caps = sorted(engine_helper.get_caps(container_inspect, opts)) TypeError: 'NoneType' object is not iterable

To Reproduce Steps to reproduce the behavior:

  1. podman inspect f8d0cb6c653e >b13test.json
  2. udica -j b13test.json b13test
  3. Aforementioned output is displayed

Expected behavior Expected output : Policy b13test with container id f8d0cb6c653e created!

Additional context See b13test.json as attached file b13test.zip

$ podman version Version: 4.0.0-dev API Version: 4.0.0-dev Go Version: go1.16.7 Built: Thu Sep 30 17:17:20 2021 OS/Arch: linux/amd64

$ udica --version 0.2.6

$ more /etc/os-release NAME="CentOS Stream" VERSION="8" ID="centos" ID_LIKE="rhel fedora" VERSION_ID="8" PLATFORM_ID="platform:el8" PRETTY_NAME="CentOS Stream 8" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:centos:centos:8" HOME_URL="https://centos.org/" BUG_REPORT_URL="https://bugzilla.redhat.com/" REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux 8" REDHAT_SUPPORT_PRODUCT_VERSION="CentOS Stream"

mavit commented 2 years ago

I see essentially the same error on Fedora 35.

mavit commented 2 years ago 
> podman inspect ... | grep EffectiveCaps
        "EffectiveCaps": null,
vmojzis commented 2 years ago

Thank you for reporting the issue, the following patch should fix it: https://github.com/containers/udica/pull/106

vmojzis commented 2 years ago

@byte13 @mavit Can you please confirm that the following patch fixes your issue (it's present in udica-0.2.6-2 and newer on Fedora)? https://github.com/containers/udica/commit/dd05dbe742384dd22f4a63889c56cb75e4e2f571

mavit commented 2 years ago

Yes, udica-0.2.6-3.fc36 seems to work for me on Fedora 35. Thanks.

byte13 commented 2 years ago

@vmojzis Sorry for the late answer and many thank's for the follow-up.

Yes it works now :

$ more /etc/os-release NAME="Rocky Linux" VERSION="8.5 (Green Obsidian)" ID="rocky" ID_LIKE="rhel centos fedora" VERSION_ID="8.5" PLATFORM_ID="platform:el8" PRETTY_NAME="Rocky Linux 8.5 (Green Obsidian)"

$ udica -V 0.2.6

$ udica -j etcd.json etcd

Policy etcd created!

Please load these modules using: semodule -i etcd.cil /usr/share/udica/templates/base_container.cil

Restart the container with: "--security-opt label=type:etcd.process" parameter

Many thank's again and best regards !

vmojzis commented 2 years ago

Thank you for the testing. Closing.

deeplow commented 2 years ago

Fedora 35 still doesn't have udica 0.2.7, which I think has this fix. So I solved it by editing the .json like this:

-     "EffectiveCaps": null,
-     "BoundingCaps": null,
+     "EffectiveCaps": [],
+     "BoundingCaps": [],