Bug 1732704

Summary: udica should be able to update the generated policy based on AVC denial messages
Product: Red Hat Enterprise Linux 8 Reporter: Petr Lautrbach <plautrba>
Component: udicaAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact: Jan Fiala <jafiala>
Priority: high    
Version: 8.1CC: lvrabec, zpytela
Target Milestone: rcKeywords: RFE
Target Release: 8.2   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
.`udica` can add new allow rules generated from SELinux denials to existing container policy When a container that is running under a policy generated by the `udica` utility triggers an SELinux denial, `udica` is now able to update the policy. The new parameter `-a` or `--append-rules` can be used to append rules from an AVC file.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-28 15:47:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1757693    
Bug Blocks: 1755139    

Description Petr Lautrbach 2019-07-24 07:44:13 UTC 
This bug was initially created as a copy of Bug #1680601

If a container is running under a policy generated by udica and the container triggers some SELinux denials then these denials cannot be transformed into a local policy module via audit2allow but udica itself could be able to update the policy and users would use udica instead of audit2allow.

e.g.
1. podman run --security-opt label=type:my_container.process -v /home:/home:ro -v /var/spool:/var/spool:rw -p 21:21 -it fedora bash
2. run in the container as root: nc -lvp 22
3. run on the host as root: udica --modify --avc audit.log my_container

this would update my_container.cil with rules needed for container to bind to port 22 and user would just install the module again.
Comment 1 Lukas Vrabec 2019-07-24 16:04:23 UTC 
Upstream ticket created: 
https://github.com/containers/udica/issues/38
Comment 19 errata-xmlrpc 2020-04-28 15:47:16 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:1650