search

containers / udica

This repository contains a tool for generating SELinux security profiles for containers
GNU General Public License v3.0
488 stars 47 forks source link

Udica could be able to update generated policy based on AVC denial messages #38

Closed wrabcak closed 5 years ago

wrabcak commented 5 years ago

If a container is running under a policy generated by udica and the container triggers some SELinux denials then these denials cannot be transformed into a local policy module via audit2allow but udica itself could be able to update the policy and users would use udica instead of audit2allow.

e.g.

  1. podman run --security-opt label=type:my_container.process -v /home:/home:ro -v /var/spool:/var/spool:rw -p 21:21 -it fedora bash
  2. run in the container as root: nc -lvp 22
  3. run on the host as root: udica --modify --avc audit.log my_container

this would update my_container.cil with rules needed for container to bind to port 22 and user would just install the module again.

https://bugzilla.redhat.com/show_bug.cgi?id=1732704

Idea by @bachradsusi .