udica(8) - f39

1
2man(8)                          udica man page                          man(8)
3
4
5

NAME

7       udica - a tool for generating SELinux security profiles for containers.
8
9

SYNOPSIS

11       udica [options] container_name
12
13

DESCRIPTION

15       A  tool  for  generating  SELinux security profiles for containers. The
16       whole concept is based on the "block inheritance"  feature  inside  the
17       CIL intermediate language supported by the SELinux user space. The tool
18       creates a policy which combines  rules  inherited  from  specified  CIL
19       blocks  (templates) and rules discovered by inspection of the container
20       JSON file with mount points and port definitions.
21
22

SUPPORTED CONTAINER ENGINES

24       CRI-O v1.14.10+ docker v1.13+ podman v2.0+,
25
26

OPTIONS

28       -h, --help
29              Show this help message and exit
30
31
32       -i, --container-id ID
33              An ID of the running container for which should  be  an  SELinux
34              policy created
35
36
37       -j, --json JSONFILE
38              Load JSON content of the inspected container from this file
39
40
41       -l, --load-modules
42              Load templates and module created by this tool
43
44
45       -c, --caps CAPS
46              List     of     capabilities,     for     example:    "-c    AU‐
47              DIT_WRITE,CHOWN,DAC_OVERRIDE,FOWNER,FSETID,KILL"  (mandatory  to
48              use for Docker Engine, see the BUGS section)
49
50
51       --devices DEVS
52              List  of devices the container should have access to, e.g "--de‐
53              vices  /dev/dri/card0,/dev/dri/renderD128"  (overrides   devices
54              specified in the conatiner JSON)
55
56
57       -a, --append-rules FILE
58              Append  more  SELinux allow rules generated from SELinux denials
59              in audit daemon.
60
61
62       -s, --stream-connect DOMAIN
63              Allow container to stream connect with given SELinux domain.
64
65
66       -e, --container-engine ENGINE
67              Specify which container engine is used for  the  inspected  con‐
68              tainer (supports: CRI-O, docker, podman)
69
70
71       --full-network-access
72              Allow a container full network access
73
74
75       --tty-access
76              Allow a container to read and write the controlling terminal
77
78
79       --X-access
80              Allow a container to communicate with the X server
81
82
83       --virt-access
84              Allow a container to communicate with libvirt
85
86

EXIT STATUS

88       0      no errors encountered.
89
90       1      other errors.
91
92       2      error while parsing options.
93
94       3      error while getting container info.
95
96       4      error while creating an SELinux policy.
97
98

EXAMPLES

100       # cat my_con.json | udica --x-access --full-network-access my_container
101       Creates a new SELinux policy with name my_container based on inspecting container and adding access to the X server and full network access.
102
103

BUGS

109       Since  it is not possible to detect capabilities used by a container in
110       Docker Engine, you have to use '-c' to specify capabilities for  docker
111       container manually.
112
113       It  is  not  possible  to generate a custom local policy using the "au‐
114       dit2allow -M" command from AVCs where source context was  generated  by
115       udica. For this purpose please use '--append-rules' option.
116
117       In  some  situations  udica fails to identify which container engine is
118       used, therefore "--container-engine" parameter has to be used to inform
119       udica how JSON inspection file should be parsed.
120
121

REPORTING BUGS

123       Report bugs to <https://github.com/containers/udica/issues/>
124
125

AUTHOR

127       Written by Lukas Vrabec (lvrabec@redhat.com)
128
129
130
1311.1                            17 February 2019                         man(8)