NAME¶

udica - a tool for generating SELinux security profiles for containers.

SYNOPSIS¶

udica [options] container_name

DESCRIPTION¶

A tool for generating SELinux security profiles for containers. The whole concept is based on the "block inheritance" feature inside the CIL intermediate language supported by the SELinux user space. The tool creates a policy which combines rules inherited from specified CIL blocks (templates) and rules discovered by inspection of the container JSON file with mount points and port definitions.

SUPPORTED CONTAINER ENGINES¶

CRI-O v1.14.10+ docker v1.13+ podman v2.0+,

OPTIONS¶

-h, --help: Show this help message and exit
-i, --container-id ID: An ID of the running container for which should be an SELinux policy created
-j, --json JSONFILE: Load JSON content of the inspected container from this file
-l, --load-modules: Load templates and module created by this tool
-c, --caps CAPS: List of capabilities, for example: "-c AUDIT_WRITE,CHOWN,DAC_OVERRIDE,FOWNER,FSETID,KILL" (mandatory to use for Docker Engine, see the BUGS section)
--devices DEVS: List of devices the container should have access to, e.g "--devices /dev/dri/card0,/dev/dri/renderD128" (overrides devices specified in the conatiner JSON)
-a, --append-rules FILE: Append more SELinux allow rules generated from SELinux denials in audit daemon.
-s, --stream-connect DOMAIN: Allow container to stream connect with given SELinux domain.
-e, --container-engine ENGINE: Specify which container engine is used for the inspected container (supports: CRI-O, docker, podman)
--full-network-access: Allow a container full network access
--tty-access: Allow a container to read and write the controlling terminal
--X-access: Allow a container to communicate with the X server
--virt-access: Allow a container to communicate with libvirt

EXIT STATUS¶

0: no errors encountered.
1: other errors.
2: error while parsing options.
3: error while getting container info.
4: error while creating an SELinux policy.

EXAMPLES¶

# cat my_con.json | udica --x-access --full-network-access my_container
Creates a new SELinux policy with name my_container based on inspecting container and adding access to the X server and full network access.

BUGS¶

Since it is not possible to detect capabilities used by a container in Docker Engine, you have to use '-c' to specify capabilities for docker container manually.

It is not possible to generate a custom local policy using the "audit2allow -M" command from AVCs where source context was generated by udica. For this purpose please use '--append-rules' option.

In some situations udica fails to identify which container engine is used, therefore "--container-engine" parameter has to be used to inform udica how JSON inspection file should be parsed.

REPORTING BUGS¶

Report bugs to <https://github.com/containers/udica/issues/>

AUTHOR¶

Written by Lukas Vrabec (lvrabec@redhat.com)

17 February 2019

1.1

Source file:	udica.8.en.gz (from udica 0.2.8-1.4)
Source last updated:	2024-01-22T13:48:07Z
Converted to HTML:	2024-11-21T01:51:48Z