Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be unavailable on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1732704 - udica should be able to update the generated policy based on AVC denial messages
Summary: udica should be able to update the generated policy based on AVC denial messages
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: udica
Version: 8.1
Hardware: All
OS: Linux
high
medium
Target Milestone: rc
: 8.2
Assignee: Lukas Vrabec
QA Contact: Milos Malik
Jan Fiala
URL:
Whiteboard:
Depends On: 1757693
Blocks: 1755139
TreeView+ depends on / blocked
 
Reported: 2019-07-24 07:44 UTC by Petr Lautrbach
Modified: 2020-09-20 13:22 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
.`udica` can add new allow rules generated from SELinux denials to existing container policy When a container that is running under a policy generated by the `udica` utility triggers an SELinux denial, `udica` is now able to update the policy. The new parameter `-a` or `--append-rules` can be used to append rules from an AVC file.
Clone Of:
Environment:
Last Closed: 2020-04-28 15:47:16 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:1650 0 None None None 2020-04-28 15:47:33 UTC

Description Petr Lautrbach 2019-07-24 07:44:13 UTC
This bug was initially created as a copy of Bug #1680601

If a container is running under a policy generated by udica and the container triggers some SELinux denials then these denials cannot be transformed into a local policy module via audit2allow but udica itself could be able to update the policy and users would use udica instead of audit2allow.

e.g.
1. podman run --security-opt label=type:my_container.process -v /home:/home:ro -v /var/spool:/var/spool:rw -p 21:21 -it fedora bash
2. run in the container as root: nc -lvp 22
3. run on the host as root: udica --modify --avc audit.log my_container

this would update my_container.cil with rules needed for container to bind to port 22 and user would just install the module again.

Comment 1 Lukas Vrabec 2019-07-24 16:04:23 UTC
Upstream ticket created: 
https://github.com/containers/udica/issues/38

Comment 19 errata-xmlrpc 2020-04-28 15:47:16 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:1650


Note You need to log in before you can comment on or make changes to this bug.