Closed milosmalik closed 5 years ago
milosmalik
commented
5 years ago compilation failed: libsepol.hierarchy_add_type_callback: my_container doesn't exist, my_container.process is an orphan libsepol.hierarchy_add_bounds: 1 errors found while adding hierarchies /usr/bin/checkmodule: loading policy configuration from mypolicy.te
wrabcak
commented
5 years ago This is more bug in libsepol then udica itself. I created bugzilla ticket for this issue https://bugzilla.redhat.com/show_bug.cgi?id=1680598 and will mention it in Known Issues in readme.
wrabcak
commented
5 years ago Describe the bug If a container is running under a policy generated by udica and the container triggers some SELinux denials then these denials cannot be transformed into a local policy module via audit2allow, because the compilation fails.
To Reproduce Steps to reproduce the behavior:
1. podman run --security-opt label=type:my_container.process -v /home:/home:ro -v /var/spool:/var/spool:rw -p 21:21 -it fedora bash 2. run in the container as root: nc -lvp 22 3. run on the host as root: ausearch -m avc -i | audit2allow -M mypolicyExpected behavior Either the problem gets documented as a known bug or it is fixed.
Now, udica supports to add additional allow rules to generated policy using option '--append-rules', so step no.3 could be replaced by:
# podman inspect -l | udica --append-rules avc my_container
Feature introduced in https://github.com/containers/udica/commit/40742ebaa2f459c40cf9617b7e81d18efed776a6 commit. Therefore closing this ticket.
Describe the bug If a container is running under a policy generated by udica and the container triggers some SELinux denials then these denials cannot be transformed into a local policy module via audit2allow, because the compilation fails.
To Reproduce Steps to reproduce the behavior:
Expected behavior Either the problem gets documented as a known bug or it is fixed.