Generate selinux policies for ecs containers with udica on amazon linux

containers-policies.sh

#!/usr/bin/env bash
# generate selinux policies for ecs containers with udica on amazon linux
#requirements: xargs, jq, udica

jq='(.[].HostConfig | select(.Devices == null) | .Devices) |= []'
jq="jq '${jq}' > %s"
docker='{{slice .ID 0 12}} {{slice .Name 1}} {{.State.Pid}}'
audit='ausearch -m avc,user_avc,selinux_err,user_selinux_err --input-logs --raw -w -su %s > %s.avc'
#audit='ausearch -m avc,user_avc,selinux_err,user_selinux_err --input-logs --raw -w -su %s | audit2allow -M %s'

while read -r id name pid
do
  context=$(ps -o label= $pid)
  contexts+=($id $context $name)

  # generate commands list that must be edited and executed manually

  # transform `docker inspect` output for udica and save it to file
  printf -v container "docker inspect %s | ${jq}" $id $name.json
  containers+=("$container")

  # look for denials in auditdb by source context
  printf -v audit_ "${audit}" $context $name
  audits+=("$audit_")
  
  # run udica with ausearch findings
  printf -v udica_ "udica -j ${name}.json --append-rules ${name}.avc ${name}"
  udicas+=("$udica_")

done < <( docker ps -q | xargs -n1 docker inspect --format "$docker" )

printf "%b\n" "${containers[@]}" "\n" "${audits[@]}" "\n" "${udicas[@]}" "\n"
printf "# %-s\t%-s\t%-s\n" "${contexts[@]}"

udica

#!/usr/bin/env bash
# wrapper script to use udica container as binary
docker run --user root --privileged -i --rm \
  --name=udica -w /data \
  -v ${PWD}:/data \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -v /sys/fs/selinux:/sys/fs/selinux \
  -v /etc/selinux/:/etc/selinux/ \
  -v /etc/selinux/:/var/lib/selinux/ \
  udica ${@}