1
2man(8)                          udica man page                          man(8)
3
4
5

NAME

7       udica - a tool for generating SELinux security profiles for containers.
8
9

SYNOPSIS

11       udica [options] container_name
12
13

DESCRIPTION

15       A  tool  for  generating  SELinux security profiles for containers. The
16       whole concept is based on the "block inheritance"  feature  inside  the
17       CIL intermediate language supported by the SELinux user space. The tool
18       creates a policy which combines  rules  inherited  from  specified  CIL
19       blocks  (templates) and rules discovered by inspection of the container
20       JSON file with mount points and port definitions.
21
22

OPTIONS

24       -h, --help
25              Show this help message and exit
26
27
28       -i, --container-id ID
29              An ID of the running container for which should  be  an  SELinux
30              policy created
31
32
33       -j, --json JSONFILE
34              Load JSON content of the inspected container from this file
35
36
37       -l, --load-modules
38              Load templates and module created by this tool
39
40
41       -c, --caps CAPS
42              List       of      capabilities,      for      example:      "-c
43              AUDIT_WRITE,CHOWN,DAC_OVERRIDE,FOWNER,FSETID,KILL" (mandatory to
44              use for Docker Engine, see the BUGS section)
45
46
47       --full-network-access
48              Allow a container full network access
49
50
51       --tty-access
52              Allow a container to read and write the controlling terminal
53
54
55       --X-access
56              Allow a container to communicate with the X server
57
58
59       --virt-access
60              Allow a container to communicate with libvirt
61
62

EXAMPLES

64       # cat my_con.json | udica --x-access --full-network-access my_container
65       Creates a new SELinux policy with name my_container based on inspecting container and adding access
66       to the X server and full network access.
67
68

SEE ALSO

70       selinux(8), podman(1)
71
72

BUGS

74       Since  it is not possible to detect capabilities used by a container in
75       Docker Engine, you have to use '-c' to specify capabilities for  docker
76       container manually.
77
78       It  is  not  possible  to  generate  a  custom  local  policy using the
79       "audit2allow -M" command from AVCs where source context  was  generated
80       by udica.
81
82

REPORTING BUGS

84       Report bugs to <https://github.com/containers/udica/issues/>
85
86

AUTHOR

88       Written by Lukas Vrabec (lvrabec@redhat.com)
89
90
91
921.1                            17 February 2019                         man(8)
Impressum