bachradsusi
commented
5 years ago @laolux Could you please share the data.json file?
Closed laolux closed 5 years ago
bachradsusi
commented
5 years ago @laolux Could you please share the data.json file?
laolux
commented
5 years ago sure. I renamed it to data.txt to conveniently upload it to github.
data.txt
wrabcak
commented
5 years ago Hi, I'm able to reproduce it on my system with your inspection file. Could you please send me the podman command how you starts this container? (I'm interested mainly for -v and -p parameters )
Thanks, Lukas.
wrabcak
commented
5 years ago Hi @laolux , I found the reproducer. You're bindmounting some directory which doesn't have specified policy in selinux-policy. e.g:
#matchpathcon /tmp/test
/tmp/test <<none>>
# podman run -it --rm --name server -v /tmp/test:/tmp/test fedora:latest bash
# podman inspect -l | sudo udica testudica
Traceback (most recent call last):
File "/bin/udica", line 11, in <module>
load_entry_point('udica==0.1.7', 'console_scripts', 'udica')()
File "/usr/lib/python3.7/site-packages/udica/__main__.py", line 109, in main
create_policy(opts, container_caps, container_mounts, container_ports)
File "/usr/lib/python3.7/site-packages/udica/policy.py", line 173, in create_policy
contexts = list_contexts(item['source'])
File "/usr/lib/python3.7/site-packages/udica/policy.py", line 65, in list_contexts
contexts.append(context.split(':')[2])Hi @wrabcak,
sorry for the late response. Yes, you are right, i am mounting some persistent volumes. However, those are not regular directories on my file system, but podman volumes. I use podman volumes because I was running into some other selinux issues when using directories (not enough experience at properly labeling by hand yet). All those issues disappeared when using podman volume, so there must be the correct labels for my container to access these volumes.
I created the volumes with
podman volume create gitolite-etc-ssh
podman volume create gitolite-dataI ran the container with
podman run --name=gitolite --read-only --volume gitolite-etc-ssh:/etc/ssh --volume gitolite-data:/var/lib/gitolite3 -dt -p 8022:22/tcp localhost/gitolite /usr/sbin/sshd -DHope this helps. If you need more information I can try to write up my entire process of creating the container.
wrabcak
commented
5 years ago Hi @laolux ,
I have patch ready, could you please test it? I prepared scratch builds of udica:
https://copr.fedorainfracloud.org/coprs/lvrabec/udica/build/936194/
Thanks for help! Lukas.
laolux
commented
5 years ago Hi @wrabcak,
works great, I get a complete policy now.
Special thanks for making a convenient rpm for trying, I really appreciate it :-)
wrabcak
commented
5 years ago Hi @laolux ,
Thanks for feedback, I'm glad that fix is working. Please keep it open, I don't pushed patches to master yet, because of missing unit tests.
Thanks, Lukas.
Describe the bug udica crashes when parsing json file, giving an error message that an attribute error occured in
policy.py:'NoneType' has no attribute 'split'. Some policy file is created, however I am not sure if it is complete/usable (no SELinux expert).To Reproduce Steps to reproduce the behavior:
podman inspect containername > data.jsonudica -j data.json policyname1Expected behavior udica creates great new SELinux policy module and exits cleanly (returns
0)Additional context entire error message:
EDIT: forgot to mention that the container is unprivileged, setup and run by user
podmanuser. This user also creates the json file which is then copied to root as apparently udica needs to be run as root. Thus runningpodman ps -aas root will not list the container. Maybe that's an issue for udica?