search

containers / udica

This repository contains a tool for generating SELinux security profiles for containers
GNU General Public License v3.0
478 stars 47 forks source link

Cannot Create Policy -- TypeError("in method 'selabel_lookup'..... #50

Closed danno-rose closed 4 years ago

danno-rose commented 4 years ago

Hi

Am having issues creating a custom policy.

/usr/bin/udica --container-engine docker -j container_name.json my_container

*`("Couldn't create policy:", TypeError("in method 'selabel_lookup', argument 3 of type 'char const '",)) `**

NAME="Amazon Linux" VERSION="2" ID="amzn" ID_LIKE="centos rhel fedora" VERSION_ID="2" PRETTY_NAME="Amazon Linux 2" ANSI_COLOR="0;33" CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2" HOME_URL="https://amazonlinux.com/"

container-selinux.noarch 2:2.68-1.el7 installed libselinux.x86_64 2.5-12.amzn2.0.2 installed libselinux-python.x86_64 2.5-12.amzn2.0.2 @amzn2-core libselinux-utils.x86_64 2.5-12.amzn2.0.2 installed selinux-policy.noarch 3.13.1-192.amzn2.6 installed selinux-policy-devel.noarch 3.13.1-192.amzn2.6 @amzn2-core selinux-policy-targeted.noarch 3.13.1-192.amzn2.6 installed libselinux.i686 2.5-12.amzn2.0.2 amzn2-core libselinux-devel.x86_64 2.5-12.amzn2.0.2 amzn2-core libselinux-ruby.x86_64 2.5-12.amzn2.0.2 amzn2-core libselinux-static.x86_64 2.5-12.amzn2.0.2 amzn2-core pcp-selinux.x86_64 3.12.2-5.amzn2 amzn2-core selinux-policy-doc.noarch 3.13.1-192.amzn2.6 amzn2-core selinux-policy-minimum.noarch 3.13.1-192.amzn2.6 amzn2-core selinux-policy-mls.noarch 3.13.1-192.amzn2.6 amzn2-core selinux-policy-sandbox.noarch 3.13.1-192.amzn2.6 amzn2-core setools-console.x86_64 3.3.8-2.amzn2.0.2 @amzn2-core setools-libs.x86_64 3.3.8-2.amzn2.0.2 @amzn2-core setools.x86_64 3.3.8-2.amzn2.0.2 amzn2-core setools-devel.x86_64 3.3.8-2.amzn2.0.2 amzn2-core setools-gui.x86_64 3.3.8-2.amzn2.0.2 amzn2-core setools-libs.i686 3.3.8-2.amzn2.0.2 amzn2-core setools-libs-tcl.x86_64 3.3.8-2.amzn2.0.2 amzn2-core

Please let me know what information I can provide..

Any assistance greatly appreciated!

wrabcak commented 4 years ago

Hi @danno-rose , Could you please test it but with the following command? # /usr/bin/udica -j container_name.json my_container

Thanks, Lukas.

danno-rose commented 4 years ago

Hello @wrabcak

Thank you for responding,

# sudo /usr/bin/udica -j cluster-autoscaler.json cluster_autoscaler ("Couldn't create policy:", TypeError("in method 'selabel_lookup', argument 3 of type 'char const *'",))

if i run without sudo

libsemanage.semanage_get_lock: Could not open direct read lock at /etc/selinux/targeted/semanage.read.LOCK. (Permission denied). libsemanage.enter_ro: could not get the active lock (Permission denied). libsemanage.enter_ro: could not enter read-only section (Permission denied). ("Couldn't create policy:", OSError(13, 'Permission denied'))

thanks in advance for any support!

wrabcak commented 4 years ago

Hi @danno-rose ,

Thanks for update, could you please also attach cluster-autoscaler.json file?

Thanks, Lukas.

danno-rose commented 4 years ago

Hello @wrabcak

Certainly - sorry for not doing so previously

here is the command I ran to generate

docker inspect af4538f4788a > cluster-autoscaler.json

cluster-autoscaler.json--gist

wrabcak commented 4 years ago

Hi @danno-rose ,

It doesn't look like a udica issue. I'm able to generate SELinux policy using attached json file. 

# udica -j cluster-autoscaler.json -e docker test-cluster-autoscaler

Policy test-cluster-autoscaler created!

Please load these modules using: 
# semodule -i test-cluster-autoscaler.cil /usr/share/udica/templates/base_container.cil

Restart the container with: "--security-opt label=type:test-cluster-autoscaler.process" parameter

List of packages:

# rpm -q udica
udica-0.2.1-1.fc31.noarch
# rpm -q python3
python3-3.7.5-2.fc31.x86_64
# rpm -q libselinux
libselinux-2.9-5.fc31.x86_64

I'm afraid you are using quite old versions of packages.

Adding generated SELinux policy. 

# cat test-cluster-autoscaler.cil 
(block test-cluster-autoscaler
    (blockinherit container)
    (allow process cert_t ( dir ( getattr search open read lock ioctl ))) 
    (allow process cert_t ( file ( getattr read ioctl lock open  ))) 
    (allow process cert_t ( sock_file ( getattr read open  ))) 
    (allow process var_lib_t ( dir ( getattr search open read lock ioctl ))) 
    (allow process var_lib_t ( file ( getattr read ioctl lock open  ))) 
    (allow process var_lib_t ( sock_file ( getattr read open  ))) 
    (allow process var_lib_t ( dir ( open read getattr lock search ioctl add_name remove_name write ))) 
    (allow process var_lib_t ( file ( getattr read write append ioctl lock map open create  ))) 
    (allow process var_lib_t ( sock_file ( getattr read write append open  ))) 
    (allow process var_lib_t ( dir ( open read getattr lock search ioctl add_name remove_name write ))) 
    (allow process var_lib_t ( file ( getattr read write append ioctl lock map open create  ))) 
    (allow process var_lib_t ( sock_file ( getattr read write append open  ))) 
)
wrabcak commented 4 years ago

Closing the ticket, as was mentioned in previous comment, I'm not able to reproduce it.

danno-rose commented 4 years ago

Apologies for not responding sooner - I was off for a few days, then other stuff took over.

Anyway, thanks for checking and responding with the above. I was rather afraid that this issue might be with out of date, or incompatible packages. Unfortunately I am limited to those available in the repo for the Linux version I am using. I will attempt to update them manually and check the result. I will also contact the maintainers.

Dan

jj-fontana commented 4 years ago

Hello, Same issue here. I can see danno-rose uses a AL2 OS as well as I do. Maybe the issue could be link to this OS. It seems i'm not the only one to struggle making selinux work properly with AL2...

wrabcak commented 4 years ago

It could be caused by OS. I'm not sure what is state of SELinux technology on AL2, afaik they are using same packages as CentOS/RHEL.