Udica now supports adding allow rules based on AVC logs from audit daemon.
With this feature, there is no need to manual modyfying a container
policy.
Using '-a' or '--append-rules' parameter + path to file with SELinux
denials will add also additional rules.
Example:
# cat avc_file
type=AVC msg=audit(1565382576.178:800): avc: denied { read } for pid=1503 comm=container_test scontext=system_u:system_r:my_container.process:s0:c211,c982 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=0
# udica -j my_container.json --append-rules avc_file my_container
...
...
# cat my_container.cil
(block my_container
(blockinherit container)
(allow process process ( capability ( chown dac_override fsetid fowner mknod net_raw setgid setuid setfcap setpcap net_bind_service sys_chroot kill audit_write )))
*(allow process cert_t ( file ( read )))*
Note: SELinux denials where source context is different then name of the
generated container SELinux domain are considered as non-related and
these rules won't be added to policy. Udica prints warning message when
this situation occur.
Closes: #38
