1
2man(8)                          udica man page                          man(8)
3
4
5

NAME

7       udica - a tool for generating SELinux security profiles for containers.
8
9

SYNOPSIS

11       udica [options] container_name
12
13

DESCRIPTION

15       A  tool  for  generating  SELinux security profiles for containers. The
16       whole concept is based on the "block inheritance"  feature  inside  the
17       CIL intermediate language supported by the SELinux user space. The tool
18       creates a policy which combines  rules  inherited  from  specified  CIL
19       blocks  (templates) and rules discovered by inspection of the container
20       JSON file with mount points and port definitions.
21
22

SUPPORTED CONTAINER ENGINES

24       CRI-O v1.14.10+ docker v1.13+ podman v1.4+,
25
26

OPTIONS

28       -h, --help
29              Show this help message and exit
30
31
32       -i, --container-id ID
33              An ID of the running container for which should  be  an  SELinux
34              policy created
35
36
37       -j, --json JSONFILE
38              Load JSON content of the inspected container from this file
39
40
41       -l, --load-modules
42              Load templates and module created by this tool
43
44
45       -c, --caps CAPS
46              List       of      capabilities,      for      example:      "-c
47              AUDIT_WRITE,CHOWN,DAC_OVERRIDE,FOWNER,FSETID,KILL" (mandatory to
48              use for Docker Engine, see the BUGS section)
49
50
51       -a, --append-rules FILE
52              Append  more  SELinux allow rules generated from SELinux denials
53              in audit daemon.
54
55
56       -s, --stream-connect DOMAIN
57              Allow container to stream connect with given SELinux domain.
58
59
60       -e, --container-engine ENGINE
61              Specify which container engine is used for  the  inspected  con‐
62              tainer (supports: CRI-O, docker, podman)
63
64
65       --full-network-access
66              Allow a container full network access
67
68
69       --tty-access
70              Allow a container to read and write the controlling terminal
71
72
73       --X-access
74              Allow a container to communicate with the X server
75
76
77       --virt-access
78              Allow a container to communicate with libvirt
79
80

EXIT STATUS

82       0      no errors encountered.
83
84       1      other errors.
85
86       2      error while parsing options.
87
88       3      error while getting container info.
89
90       4      error while creating an SELinux policy.
91
92

EXAMPLES

94       # cat my_con.json | udica --x-access --full-network-access my_container
95       Creates a new SELinux policy with name my_container based on inspecting container and adding access
96       to the X server and full network access.
97
98

SEE ALSO

100       selinux(8), podman(1)
101
102

BUGS

104       Since  it is not possible to detect capabilities used by a container in
105       Docker Engine, you have to use '-c' to specify capabilities for  docker
106       container manually.
107
108       It  is  not  possible  to  generate  a  custom  local  policy using the
109       "audit2allow -M" command from AVCs where source context  was  generated
110       by udica. For this purpose please use '--append-rules' option.
111
112        In  some  situations udica fails to identify which container engine is
113       used, therefore "--container-engine" parameter has to be used to inform
114       udica how JSON inspection file should be parsed.
115
116

REPORTING BUGS

118       Report bugs to <https://github.com/containers/udica/issues/>
119
120

AUTHOR

122       Written by Lukas Vrabec (lvrabec@redhat.com)
123
124
125
1261.1                            17 February 2019                         man(8)
Impressum