How to use udica for rootless containers ?

Resolution

• Udica is not required for systems with selinux enabled to run containers, it's only needed in certain situations where a container needs to access to a file or directory that selinux blocks by the system's default policy.
• The policy creation using the udica tool and subsequent selinux module load can only be performed by the root user, as only the root user has the permissions to alter selinux policies on a system.
• Detailed steps to generate and load module using use udica
• Rootless user will end up with error operation not permitted errors when trying to load the module
• To overcome this limitation, the policy can be created using rootless user and the module can be loaded using root user

• To do this, the container needs to be inspected with rootless user, save the inspect output to file and generate a policy file using this json file. The root user will then utilize this inspect output file to a custom selinux policy into the system. Finally, the container can be run as rootless podman user, utilizing a special flag to utilize the custom selinux policy

• Following are a set of commands that are illustrated as an example and this can be highly customised based on individual requirements:

1. Inspect the container with rootless user, saving the output to a file:

   $ podman inspect container > /tmp/container.json
   

2. Create the custom selinux policy as with that output file created in the above command:

   $ udica -j /tmp/container.json container_policy
   

3. As root user, Load the custom selinux policy created in the last command:

   # semodule -i container_policy.cil /usr/share/udica/templates/base_container.cil
   

4. As rootless user, run the container with the custom selinux security label using the --security-opt flag

   $ podman --security-opt label=type:container_policy.process..........