Closed danno-rose closed 4 years ago
Hi @danno-rose ,
Could you please test it but with the following command?
# /usr/bin/udica -j container_name.json my_container
Thanks, Lukas.
Hello @wrabcak
Thank you for responding,
# sudo /usr/bin/udica -j cluster-autoscaler.json cluster_autoscaler
("Couldn't create policy:", TypeError("in method 'selabel_lookup', argument 3 of type 'char const *'",))
if i run without sudo
libsemanage.semanage_get_lock: Could not open direct read lock at /etc/selinux/targeted/semanage.read.LOCK. (Permission denied). libsemanage.enter_ro: could not get the active lock (Permission denied). libsemanage.enter_ro: could not enter read-only section (Permission denied). ("Couldn't create policy:", OSError(13, 'Permission denied'))
thanks in advance for any support!
Hi @danno-rose ,
Thanks for update, could you please also attach cluster-autoscaler.json file?
Thanks, Lukas.
Hello @wrabcak
Certainly - sorry for not doing so previously
here is the command I ran to generate
docker inspect af4538f4788a > cluster-autoscaler.json
Hi @danno-rose ,
It doesn't look like a udica issue. I'm able to generate SELinux policy using attached json file.
# udica -j cluster-autoscaler.json -e docker test-cluster-autoscaler
Policy test-cluster-autoscaler created!
Please load these modules using:
# semodule -i test-cluster-autoscaler.cil /usr/share/udica/templates/base_container.cil
Restart the container with: "--security-opt label=type:test-cluster-autoscaler.process" parameter
List of packages:
# rpm -q udica
udica-0.2.1-1.fc31.noarch
# rpm -q python3
python3-3.7.5-2.fc31.x86_64
# rpm -q libselinux
libselinux-2.9-5.fc31.x86_64
I'm afraid you are using quite old versions of packages.
Adding generated SELinux policy.
# cat test-cluster-autoscaler.cil
(block test-cluster-autoscaler
(blockinherit container)
(allow process cert_t ( dir ( getattr search open read lock ioctl )))
(allow process cert_t ( file ( getattr read ioctl lock open )))
(allow process cert_t ( sock_file ( getattr read open )))
(allow process var_lib_t ( dir ( getattr search open read lock ioctl )))
(allow process var_lib_t ( file ( getattr read ioctl lock open )))
(allow process var_lib_t ( sock_file ( getattr read open )))
(allow process var_lib_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process var_lib_t ( file ( getattr read write append ioctl lock map open create )))
(allow process var_lib_t ( sock_file ( getattr read write append open )))
(allow process var_lib_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process var_lib_t ( file ( getattr read write append ioctl lock map open create )))
(allow process var_lib_t ( sock_file ( getattr read write append open )))
)
Closing the ticket, as was mentioned in previous comment, I'm not able to reproduce it.
Apologies for not responding sooner - I was off for a few days, then other stuff took over.
Anyway, thanks for checking and responding with the above. I was rather afraid that this issue might be with out of date, or incompatible packages. Unfortunately I am limited to those available in the repo for the Linux version I am using. I will attempt to update them manually and check the result. I will also contact the maintainers.
Dan
Hello, Same issue here. I can see danno-rose uses a AL2 OS as well as I do. Maybe the issue could be link to this OS. It seems i'm not the only one to struggle making selinux work properly with AL2...
It could be caused by OS. I'm not sure what is state of SELinux technology on AL2, afaik they are using same packages as CentOS/RHEL.
Hi
Am having issues creating a custom policy.
/usr/bin/udica --container-engine docker -j container_name.json my_container
*`("Couldn't create policy:", TypeError("in method 'selabel_lookup', argument 3 of type 'char const '",)) `**
NAME="Amazon Linux" VERSION="2" ID="amzn" ID_LIKE="centos rhel fedora" VERSION_ID="2" PRETTY_NAME="Amazon Linux 2" ANSI_COLOR="0;33" CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2" HOME_URL="https://amazonlinux.com/"
container-selinux.noarch 2:2.68-1.el7 installed libselinux.x86_64 2.5-12.amzn2.0.2 installed libselinux-python.x86_64 2.5-12.amzn2.0.2 @amzn2-core libselinux-utils.x86_64 2.5-12.amzn2.0.2 installed selinux-policy.noarch 3.13.1-192.amzn2.6 installed selinux-policy-devel.noarch 3.13.1-192.amzn2.6 @amzn2-core selinux-policy-targeted.noarch 3.13.1-192.amzn2.6 installed libselinux.i686 2.5-12.amzn2.0.2 amzn2-core libselinux-devel.x86_64 2.5-12.amzn2.0.2 amzn2-core libselinux-ruby.x86_64 2.5-12.amzn2.0.2 amzn2-core libselinux-static.x86_64 2.5-12.amzn2.0.2 amzn2-core pcp-selinux.x86_64 3.12.2-5.amzn2 amzn2-core selinux-policy-doc.noarch 3.13.1-192.amzn2.6 amzn2-core selinux-policy-minimum.noarch 3.13.1-192.amzn2.6 amzn2-core selinux-policy-mls.noarch 3.13.1-192.amzn2.6 amzn2-core selinux-policy-sandbox.noarch 3.13.1-192.amzn2.6 amzn2-core setools-console.x86_64 3.3.8-2.amzn2.0.2 @amzn2-core setools-libs.x86_64 3.3.8-2.amzn2.0.2 @amzn2-core setools.x86_64 3.3.8-2.amzn2.0.2 amzn2-core setools-devel.x86_64 3.3.8-2.amzn2.0.2 amzn2-core setools-gui.x86_64 3.3.8-2.amzn2.0.2 amzn2-core setools-libs.i686 3.3.8-2.amzn2.0.2 amzn2-core setools-libs-tcl.x86_64 3.3.8-2.amzn2.0.2 amzn2-core
Please let me know what information I can provide..
Any assistance greatly appreciated!