The confinedom_user_login_macro is needed for all custom users.
Also, allow the new user type to be accessed via remote login.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Udica can now generate cil policy for a confined user using a list of
macros.
The macros are based on policy templates created by Patrik Končitý:
https://github.com/Koncpa/confined-users-policy
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Fix issue introduced by
Commit 7c7b9ad505
"Avoid duplicate rules for accessing mounts and devices"
where policy rules for "read-only mounts" are not generated properly.
Adjust Crio basic test to incorporate a read only mount that is not
covered by a special case ("/home" is handled by "home_container" and
anything under "/var/lib/kubelet" is ignored).
Thanks https://github.com/arcardon (jamjcardona@sbcglobal.net) for
spotting this in the code.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
list_contexts may return duplicate contexts. This combined with multiple
mounts/devices that may share contexts leads to many duplicate allow
rules.
Example:
tests/test_basic.podman.cil:8-11
tests/test_basic.podman.cil:392-395
duplicate RW mount permissions for var_spool_t
tests/test_basic.podman.cil:28-31
tests/test_basic.podman.cil:264-267
tests/test_basic.podman.cil:304-307
duplicate RW mount permissions for abrt_retrace_spool_t
This patch significantly reduces most test cil policies
e.g. test_basic.podman.cil 396 -> 253 lines
test_basic.docker.cil 394 -> 254 lines
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
- Auto-detct containerd inspect files
- Use write_policy_for_podman_devices instead of a custom function
- Fix "path" to capabilities
- Fix issues reported by lint and black
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Move udica policy templates to container-selinux package so that
administrators can deploy udica-generated policies on OpenShift nodes
without installing udica everywhere.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Cil parser was recently updated to reject the following:
(block template1 (type t) )
(block template2 (blockinherit template1))
(block b (blockinherit template1) (blockinherit template2))
Re-declaration of type t
Previous declaration of type at /var/lib/selinux/targeted/tmp/modules/400/test/cil:1
Failed to copy block contents into blockinherit
Failed to resolve AST
semodule: Failed!
Remove (blockinherit container) from all templates so that "process" and
"socket" are only defined once (by inheriting "container" block in the
generated policy).
All allow rules referencing "process" and "socket" now need to be
enclosed in an optional block.
While at it, unify indentation.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
This should diminish differences between policies generated for the same
container (allow rules should be in the same order).
Fixes: Two subsequent calls to Udica on the same container sometimes
generate different policy files (functionally equivalent, but
with different rule order). This issue makes it difficult to use
udica for CI purposes.
https://github.com/containers/udica/issues/84
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Udica generates SELinux security allow rules only for files,dirs and
sockets. Following commit adds also FIFO files.
The change required also to modify existing unit tests.
Fixes: #85
The reason for the internal change is to improve readability of
permissions in udica code.
Several variables related to permissions sets renamed:
* dro -> dir_ro
* drw -> dir_rw
* fro -> file_ro
* frw -> file_rw
* sro -> socket_ro
* srw -> socket_rw
* devrw -> device_rw
The "cap" dictionary didn't bring any value and needed to be updated
with new capabilities.
Fixes:
Udica fails when container info contains CAP_PERFMON
Couldn't create policy: 'PERFMON'
Error: Process completed with exit code 4.
https://github.com/containers/udica/issues/88
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Also update automation library to resemble what's done in other
containers-org. repositories.
Lastly, a minor python change to satisfy the linter.
Signed-off-by: Chris Evich <cevich@redhat.com>
EngineHelper is an abstract class and should be treated like abstract class using python stdlib tools
Note: `ABC` class available from py3.4
Signed-off-by: Martin Bašti <mbasti@redhat.com>
Create a sub-module to store the version string and use it both in
setup.py (to set version in package metadata) and in __main__.py (to
implement the --version command-line argument).
Fixes: https://github.com/containers/udica/issues/66
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Podman container engine version 2.0.2 introduced new change to generate inspection JSON
files same as docker container engine for exposed ports. Because of this change, also
udica requires some changes in parsing inspection JSON file.
Because of the change how podman and docker generates same structure
related to ports so there is no need to do adjustments.
Resolves: #60
Replace copy/paste strings referencing container engines with
constants for reuse. These constants live under parse.
- ENGINE_PODMAN: Constant for the podman engine
- ENGINE_CRIO: Constant for the cri-o engine
- ENGINE_DOCKER: Constant for the docker engine
- ENGINE_ALL: All supported engines
Signed-off-by: Steve Milner <smilner@redhat.com>
Udica doesn't add permissions "setattr, rmdir" for dir class and
permissions "rename, setattr, unlink" for file class, for generated
rules when the block(template) is not defined. This cause
troubles when whole dirs are bind-mounted to the container space like "/var/lib/mysql".
Commit adding missing permissions to both classes and listing all
classes in alphabetical order.
"Basic" part of tests was regenerated due to the change
The net_container template is updated, when restricted_net_container block
is used, container could also create and use sctp sockets.
Also when container exposes sctp sockets, udica will identify it and
generate policy where only sctp communication is allowed.
Following commit adds new parameter for to specify which container
engine is used for inspecting container.
Example:
# udica --container-engine podman -j my_container.json my_container
...
# udica -e docker -j my_container.json my_container
...
In some situations udica fails to identify which engine is used,
therefore this parameter has to be used.
Commit includes also test for the feature.
json_is_podman_format() returns true if inspection json file is list and
contains environment variable "container" set to "podman".
Several containers (e.g: ubi8[1]) container sets this env variable to
"oci" instead of "podman". This commit improves json_is_podman_format()
function to allow generate SELinux policy also when the variable is set
to "oci".
Part of the fix are also 2 new test cases testing ubi8 images
[1] https://access.redhat.com/containers/#/registry.access.redhat.com/ubi8
This commit fixes the issue when udica generates wrong SELinux policy when no
template is used and moutpoint is mounted as readonly. Final policy
contained also write permission.
Fix is just improved if statement, when udica looks how a mountpoint is
mounted to the container.
This takes modifies udica to also take the "inspect" format that crictl
gives out, and not only the docker/podman one.
Note that in this implementation, only the json file works; support for
parsing the input from the crictl command will come in a separate PR.
For the log_rw_container it wasn't possible to create new files, which
is something that's normally required. So we're adding this
capability, while still not allowing that container to rename that
directory or remove files from it as a security measure.
The audit_log_t file was also modified to be more restrictive for the
log_rw_container block, so we only allow reads now. However, the write
capability was left for the log_manage_container block.
This feature allows specify container communication using stream sockets.
Communication is specified via new parameter "--stream-connect".
Feature example:
Create containerA:
# udica -j containerA.json containerA
Create containerB which could stream connect to containerA:
# udica -j containerB.json --stream-connect containerA containerB
Now, containerB contains following additional rules and communicate with
containerA via stream socket:
allow containerB.process containerA.process:unix_stream_socket connectto;
allow containerB.process containerA.socket ( sock_file ( getattr write open append )))
This feature also add new object to base container template for creating
socket file under every container namespace. e.g: my_container.socket,
network_container.socket.
Vit Mojzis
Chris Evich
Martin Skøtt
alegrey91
Lukas Vrabec
Martin Bašti
Jed Lejosne
Juan Antonio Osorio Robles
Ondrej Mosnacek
Thorsten Scherf
Steve Milner