1
2man(8)                          udica man page                          man(8)
3
4
5

NAME

7       udica - a tool for generating SELinux security profiles for containers.
8
9

SYNOPSIS

11       udica [options] container_name
12
13

DESCRIPTION

15       A  tool  for  generating  SELinux security profiles for containers. The
16       whole concept is based on the "block inheritance"  feature  inside  the
17       CIL intermediate language supported by the SELinux user space. The tool
18       creates a policy which combines  rules  inherited  from  specified  CIL
19       blocks  (templates) and rules discovered by inspection of the container
20       JSON file with mount points and port definitions.
21
22

SUPPORTED CONTAINER ENGINES

24       CRI-O v1.14.10+ docker v1.13+ podman v2.0+,
25
26

OPTIONS

28       -h, --help
29              Show this help message and exit
30
31
32       -i, --container-id ID
33              An ID of the running container for which should  be  an  SELinux
34              policy created
35
36
37       -j, --json JSONFILE
38              Load JSON content of the inspected container from this file
39
40
41       -l, --load-modules
42              Load templates and module created by this tool
43
44
45       -c, --caps CAPS
46              List       of      capabilities,      for      example:      "-c
47              AUDIT_WRITE,CHOWN,DAC_OVERRIDE,FOWNER,FSETID,KILL" (mandatory to
48              use for Docker Engine, see the BUGS section)
49
50
51       -a, --append-rules FILE
52              Append  more  SELinux allow rules generated from SELinux denials
53              in audit daemon.
54
55
56       -s, --stream-connect DOMAIN
57              Allow container to stream connect with given SELinux domain.
58
59
60       -e, --container-engine ENGINE
61              Specify which container engine is used for  the  inspected  con‐
62              tainer (supports: CRI-O, docker, podman)
63
64
65       --full-network-access
66              Allow a container full network access
67
68
69       --tty-access
70              Allow a container to read and write the controlling terminal
71
72
73       --X-access
74              Allow a container to communicate with the X server
75
76
77       --virt-access
78              Allow a container to communicate with libvirt
79
80

EXIT STATUS

82       0      no errors encountered.
83
84       1      other errors.
85
86       2      error while parsing options.
87
88       3      error while getting container info.
89
90       4      error while creating an SELinux policy.
91
92

EXAMPLES

94       # cat my_con.json | udica --x-access --full-network-access my_container
95       Creates a new SELinux policy with name my_container based on inspecting container and adding access to the X server and full network access.
96
97

SEE ALSO

99       selinux(8), podman(1)
100
101

BUGS

103       Since  it is not possible to detect capabilities used by a container in
104       Docker Engine, you have to use '-c' to specify capabilities for  docker
105       container manually.
106
107       It  is  not  possible  to  generate  a  custom  local  policy using the
108       "audit2allow -M" command from AVCs where source context  was  generated
109       by udica. For this purpose please use '--append-rules' option.
110
111       In  some  situations  udica fails to identify which container engine is
112       used, therefore "--container-engine" parameter has to be used to inform
113       udica how JSON inspection file should be parsed.
114
115

REPORTING BUGS

117       Report bugs to <https://github.com/containers/udica/issues/>
118
119

AUTHOR

121       Written by Lukas Vrabec (lvrabec@redhat.com)
122
123
124
1251.1                            17 February 2019                         man(8)
Impressum