1
2man(8) udica man page man(8)
3
4
5
7 udica - a tool for generating SELinux security profiles for containers.
8
9
11 udica [options] container_name
12
13
15 A tool for generating SELinux security profiles for containers. The
16 whole concept is based on the "block inheritance" feature inside the
17 CIL intermediate language supported by the SELinux user space. The tool
18 creates a policy which combines rules inherited from specified CIL
19 blocks (templates) and rules discovered by inspection of the container
20 JSON file with mount points and port definitions.
21
22
24 -h, --help
25 Show this help message and exit
26
27
28 -i, --container-id ID
29 An ID of the running container for which should be an SELinux
30 policy created
31
32
33 -j, --json JSONFILE
34 Load JSON content of the inspected container from this file
35
36
37 -l, --load-modules
38 Load templates and module created by this tool
39
40
41 -c, --caps CAPS
42 List of capabilities, for example: "-c
43 AUDIT_WRITE,CHOWN,DAC_OVERRIDE,FOWNER,FSETID,KILL" (mandatory to
44 use for Docker Engine, see the BUGS section)
45
46
47 --full-network-access
48 Allow a container full network access
49
50
51 --tty-access
52 Allow a container to read and write the controlling terminal
53
54
55 --X-access
56 Allow a container to communicate with the X server
57
58
59 --virt-access
60 Allow a container to communicate with libvirt
61
62
64 # cat my_con.json | udica --x-access --full-network-access my_container
65 Creates a new SELinux policy with name my_container based on inspecting container and adding access
66 to the X server and full network access.
67
68
70 selinux(8), podman(1)
71
72
74 Since it is not possible to detect capabilities used by a container in
75 Docker Engine, you have to use '-c' to specify capabilities for docker
76 container manually.
77
78 It is not possible to generate a custom local policy using the
79 "audit2allow -M" command from AVCs where source context was generated
80 by udica.
81
82
84 Report bugs to <https://github.com/containers/udica/issues/>
85
86
88 Written by Lukas Vrabec (lvrabec@redhat.com)
89
90
91
921.1 17 February 2019 man(8)