wrabcak
commented
5 years ago Hi @docent-net ,
Udica is a great tool. And it would be great if one could use it also for generating policies for systemd - based containers (or even systemd - confined processes, not whole containers like Podman or Docker).
For instance having systemd portable service's unit file Udica would generate SELinux policy taking into consideration directories that were mapped to process.
I'm not familiar systemd-based containers, but if systemd is generating some inspection file for each container, where are all the important information for us (mountpoints, capabilities and ports) it's possible expand the functionality of udica also for systemd containers.
Same for systemd-nspawn containers or even normal processes confined by systemd properties configured in unit files.
Also, do you have example related to systemd portable unit file? I'm not sure what are you mean.
Not sure if Udica is the best project for this (from my perspective looks like it's rather for Podman / Docker based containers). So asking you guys - because if it were maybe I could help you with that a bit.
For me it make sense to have one generation tool for all container engines and in this case also systemd is container engine. So it could be part of Udica.
Thanks for helping with this project! Lukas.
Udica is a great tool. And it would be great if one could use it also for generating policies for systemd - based containers (or even systemd - confined processes, not whole containers like Podman or Docker).
For instance having systemd portable service's unit file Udica would generate SELinux policy taking into consideration directories that were mapped to process.
Same for systemd-nspawn containers or even normal processes confined by systemd properties configured in unit files.
Not sure if Udica is the best project for this (from my perspective looks like it's rather for Podman / Docker based containers). So asking you guys - because if it were maybe I could help you with that a bit.