Run time security for containers using udica

[HariAccuknox]

Runtime Security After creating my_container.process for a container can we make it t apply to container without restarting the containers.

Describe the solution you'd like

Running a udica daemon to capture the container specs to create and applying SIGHUP to the daemon to hot reload

Describe alternatives you've considered

Running daemonsets in all nodes or one daemon to all nodes to .

[wrabcak]

@JAORMX @rhatdan , Guys we can discuss this RFE here.

[JAORMX]

@wrabcak wouldn't applying a new SELinux policy require a container restart either way? thought you needed to set SELinux labels on process start.

[HariAccuknox]

Can we provide default selinux profile with certain profiles for containers and overriding containers with daemon sighup . This will certainly improve sel implementation in containers

On Fri, 18 Sep 2020, 19:05 Juan Osorio Robles, [email protected] wrote:

@wrabcak https://github.com/wrabcak wouldn't applying a new SELinux policy require a container restart either way? thought you needed to set SELinux labels on process start.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/containers/udica/issues/75#issuecomment-694871423, or unsubscribe https://github.com/notifications/unsubscribe-auth/APYLVFQ7SZWZ6FDRCQZZOSDSGNO2LANCNFSM4RR3S27A .

[wrabcak]

@JAORMX, there is a possibility to force label change during process runtime, but I don't know if it's possible for containers.

[JAORMX]

@JAORMX, there is a possibility to force label change during process runtime, but I don't know if it's possible for containers.

Uhm...that might be an RFE then for the container runtime (e.g. Podman) more than Udica.

[wrabcak]

Sorry, it's not possible discuss with SELinux userspace maintainer.