Build a minimal Udica Container Image
Udica is a tool for generating SELinux security profiles for containers. The Dockerfile in the Udica repository is not updated since you can simply install the latest version of Udica using either dnf or pip.
I’m currently using CoreOS and Python
is not installed by default. Instead of dnf, you have rpm-ostree to install packages(which calls libdnf in the background). I don’t want an additional layer of packages on top of my base system, so I’m going to create a Udica image by using a minimal Fedora image to ensure that the container isn’t too large in size.
My Dockerfile:
FROM registry.fedoraproject.org/fedora-minimal
USER root
# Update image
RUN microdnf update --disableplugin=subscription-manager -y && \
rm -rf /var/cache/yum
# Install dependencies
RUN microdnf install --disableplugin=subscription-manager -y \
container-selinux \
python3 \
python3-setools \
systemd-devel \
policycoreutils \
policycoreutils-python-utils \
&& rm -rf /var/cache/yum
# build udica
WORKDIR /tmp
COPY udica udica
WORKDIR /tmp/udica
RUN python3 setup.py install
WORKDIR /
# Clean up
RUN rm -rf /tmp/udica/
ENTRYPOINT ["/usr/local/bin/udica"]
Building the image(you can use docker too):
❯ podman build -t udica:latest .
STEP 1/11: FROM registry.fedoraproject.org/fedora-minimal
STEP 2/11: USER root
--> Using cache 07d08f8813e2df58296dc0a108beb0b1cd2d876504083690683ac6dc4d391058
--> 07d08f8813e2
STEP 3/11: RUN microdnf update --disableplugin=subscription-manager -y && rm -rf /var/cache/yum
--> Using cache 7452230b3e756317401a1ab0dfb0828c338eb2a205adc814f543d397117fc0f4
--> 7452230b3e75
---------REDACTED----
STEP 11/11: ENTRYPOINT ["/usr/local/bin/udica"]
--> Using cache e98eeefabb428086b6851668ed70044d63a95d69cd7bf2e350a9d63da972c8a2
COMMIT udica:latest
--> e98eeefabb42
Successfully tagged localhost/udica:latest
e98eeefabb428086b6851668ed70044d63a95d69cd7bf2e350a9d63da972c8a2
With a minimal fedora image, it’s around 300MB in size:
❯ podman images | egrep 'fedora|udica'
localhost/udica latest e98eeefabb42 2 hours ago 346 MB
registry.fedoraproject.org/fedora-minimal latest 701d06020979 5 days ago 92.1 MB
I used an ENTRYPOINT instead of CMD (which you can change), allowing you to call the CLI flag and pass arguments without specifying udica
each time, or simply create an alias:
❯ podman run --rm localhost/udica -V
0.2.8
In conclusion, learn more about how SELinux prevents containers from causing havoc on your system.