Options to allow connections for tcp_socket and unix_stream_socket

[ivanov17]

Is your feature request related to a problem? Please describe.

I'm trying to use Udica with Ansible to automatically generate SELinux policies for my systemd-generated Podman containers organized in pods.

I created idempotent playbook which creates pod and containers, generates and applies SELinux policies, then generates systemd units and runs the containers in the pod using systemd units.

Despite some success, I have problems.

First, I have a few services on the host (like git daemon, database etc) that are needed for some containers. Usually I connected from containers to the host services, but if I want to hardening security with container-specific policies, I need to add some permissions, like postgresql_port_t.

In this case, I cannot bind a specific port to container, so Udica won't know about that port from the generated json. Therefore, I can only specify additional permissions by editing the generated policy before applying it. It causes some troubles for automation.

Unfortunately, I can't use --append-rules option here, because if I generate policies when containers are just created, not running, I have no AVC alerts. But if I want to get all the alerts from the log, I need to restart container multiple times. It's not an option.

Second, I have UNIX sockets on the host that I need to bind to containers. I can't relabel them, because they are managed by systemd. I can mount them with native labels and then generate policy that sets them to the same permissions as container_file_t. But my container process can't connect to the mounted socket, because Udica don't add connectto permission by default.

Unfortunately, I can't use --stream-connect in this case, because it only allows communication between containers.

Describe the solution you'd like

I would like to be able to specify additional permissions for TCP sockets directly using a special option. It might look like

udica --load-modules \
      --tcp-connect 5432 636 \
      --container-id 2379d94bbf0fa372a0c0445fd55c5556620a7c0922245edb3bc064638ee4d8c3 my-container

This option should add the following lines to the policy file:

    (allow process postgresql_port_t ( tcp_socket ( name_connect )))
    (allow process ldap_port_t ( tcp_socket ( name_connect )))

Adding permissions to connect to UNIX sockets might look like this:

udica --load-modules \
      --stream-access \
      --container-id 2379d94bbf0fa372a0c0445fd55c5556620a7c0922245edb3bc064638ee4d8c3 my-container

The following line should be added:

    (allow process container_runtime_t ( unix_stream_socket ( connectto )))

This will allow me to use only one command to generate and install SELinux policies with all required permissions and make it easier to automate.

It might also be worth adding the ability to include custom templates when generating a policy file to cover any use cases.

Describe alternatives you've considered

I think currently the only alternative is to edit the generated policy file before applying it. This adds more loops to process containers in each pod (getting info, saving to files, creating policies, editing to add each additional permission and applying). It is possible, but inconvenient and breaks idempotence.