5:30 a.m.
Hello!!
On 09/09/20 9:56 pm, apsoul(a)hotmail.com wrote:
I've had success using udica to craft the selinux policy that can
then be applied to the container using the --security-opt flag.
See this blog post:
https://fedoramagazine.org/use-udica-to-build-selinux-policy-for-containers/
Thank
you apsoul for sharing a great resource.
The only place I've noticed udica falling short is running a pod of multiple
containers that are all communicating with each other. In this instance I had to start the
pod and monitor audit.log for avc denials and then manually update the udica generated
.cil file.
It appears that this tool works with running containers. The Envoyproxy
container gets killed even before the application within can start running.
--
Chintan Mishra
> _______________________________________________
> Podman mailing list -- podman(a)lists.podman.io
> To unsubscribe send an email to podman-leave(a)lists.podman.io