Udica can now generate cil policy for a confined user using a list of
macros.
The macros are based on policy templates created by Patrik Končitý:
https://github.com/Koncpa/confined-users-policy
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Explain the implications of generating policy based on security labels
as opposed to filesystem paths, port numbers, etc.
https://github.com/containers/udica/issues/7
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Following commit adds new parameter for to specify which container
engine is used for inspecting container.
Example:
# udica --container-engine podman -j my_container.json my_container
...
# udica -e docker -j my_container.json my_container
...
In some situations udica fails to identify which engine is used,
therefore this parameter has to be used.
Commit includes also test for the feature.
This adds a dockerfile which allows you to build a container for udica
from source.
It also includes a Makefile that'll allow you to build the image with
your preferred command (the default is podman and the default tag is
"latest").
Note that in ordre to use udica as a container, you need to bind-mount
the following directories to it:
* /sys/fs/selinux
* /etc/selinux
* /var/lib/selinux
We now have a 3 file test structure.
All of the tests are in test_main.py as they've always been.
The unit test call should be done from the test_unit.py module, which is
also called from the Makefile and the CI.
Integration tests (which really call selinux) are called separately and
directly from the test_integration module. This also requires that the
udica package is installed in the calling system.
Udica now supports adding allow rules based on AVC logs from audit daemon.
With this feature, there is no need to manual modyfying a container
policy.
Using '-a' or '--append-rules' parameter + path to file with SELinux
denials will add also additional rules.
Example:
# cat avc_file
type=AVC msg=audit(1565382576.178:800): avc: denied { read } for pid=1503 comm=container_test scontext=system_u:system_r:my_container.process:s0:c211,c982 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=0
# udica -j my_container.json --append-rules avc_file my_container
...
...
# cat my_container.cil
(block my_container
(blockinherit container)
(allow process process ( capability ( chown dac_override fsetid fowner mknod net_raw setgid setuid setfcap setpcap net_bind_service sys_chroot kill audit_write )))
*(allow process cert_t ( file ( read )))*
Note: SELinux denials where source context is different then name of the
generated container SELinux domain are considered as non-related and
these rules won't be added to policy. Udica prints warning message when
this situation occur.
Closes: #38
Vit Mojzis