mirror of
https://github.com/containers/udica
synced 2025-02-04 22:31:37 +01:00
40742ebaa2
Udica now supports adding allow rules based on AVC logs from audit daemon.
With this feature, there is no need to manual modyfying a container
policy.
Using '-a' or '--append-rules' parameter + path to file with SELinux
denials will add also additional rules.
Example:
# cat avc_file
type=AVC msg=audit(1565382576.178:800): avc: denied { read } for pid=1503 comm=container_test scontext=system_u:system_r:my_container.process:s0:c211,c982 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=0
# udica -j my_container.json --append-rules avc_file my_container
...
...
# cat my_container.cil
(block my_container
(blockinherit container)
(allow process process ( capability ( chown dac_override fsetid fowner mknod net_raw setgid setuid setfcap setpcap net_bind_service sys_chroot kill audit_write )))
*(allow process cert_t ( file ( read )))*
Note: SELinux denials where source context is different then name of the
generated container SELinux domain are considered as non-related and
these rules won't be added to policy. Udica prints warning message when
this situation occur.
Closes: #38
8 lines
1.4 KiB
Plaintext
8 lines
1.4 KiB
Plaintext
time->Fri Aug 9 22:29:36 2019
|
|
type=AVC msg=audit(1565382576.178:800): avc: denied { open } for pid=1503 comm=container_test scontext=system_u:system_r:my_container.process:s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0:c0.c1023 tclass=file permissive=0
|
|
type=AVC msg=audit(1565382576.178:800): avc: denied { getattr } for pid=1503 comm=container_test scontext=system_u:system_r:my_container.process:s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0:c0.c1023 tclass=file permissive=0
|
|
type=AVC msg=audit(1565382576.178:800): avc: denied { write } for pid=1503 comm=container_test scontext=system_u:system_r:my_container.process:s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0:c0.c1023 tclass=file permissive=0
|
|
type=AVC msg=audit(1565382576.178:800): avc: denied { add_name } for pid=1503 comm=container_test scontext=system_u:system_r:my_container.process:s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0:c0.c1023 tclass=dir permissive=0
|
|
type=AVC msg=audit(1565382576.178:800): avc: denied { read } for pid=1503 comm=container_test scontext=system_u:system_r:my_container.process:s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0:c0.c1023 tclass=file permissive=0
|
|
type=AVC msg=audit(1565382576.178:800): avc: denied { read } for pid=1503 comm=container_test scontext=system_u:system_r:my_container.process:s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0:c0.c1023 tclass=file permissive=0
|