CoreOS and Udica SELinux policies

Greetings, I have a Fedora CoreOS server on baremetal, running a few privileged containers, for example one running lldpd.

I basically followed the doc which is all fine, running podman as root with the addition of --cap-add all and --net=host

I am revisiting this in the hope of reducing capabilities (--cap-add CAP_NET_RAW should be enough) and maybe also implementing some SELinux policies.

I checked Udica which generates policies that work just fine in a dev environment, however I am wondering how to deploy these in Fedora CoreOS.

Normally (on Fedora) one would run

semodule -i my_lldpd.cil /usr/share/udica/templates/base_container.cil

but it feels incorrect on CoreOS where things should be immutable.

Has anyone tried to use Udica generated policies (or SELinux policies in general) on CoreOS?

(also I see a related issue with 45 comments. I only read the last one (…) which brings a solution : building a rpm to install the policies. But it feels a bit overkill for my usecase).


The RPM route is probably the safest option for this use case. We’ve had improvements around SELinux tooling but I’m not sure how far we’ve got yet.

Thanks! I’ve ended up going this route and writing a small rpm that runs semodule -i in a %post section. Is bundled as well a nftables ruleset so that traffic can be marked as “internet” or “intranet” (or left unlabeled), which can be further allowed in the SELinux policy with
(allow process intranet_packet_t ( packet ( send recv )))

In the end the systemd service is written like this:


ExecStartPre=-/bin/podman kill busybox1
ExecStartPre=-/bin/podman rm busybox1
ExecStartPre=nft -f /usr/share/mytest/secmark.nft
ExecStart=/bin/podman run --network=host --security-opt label=type:mytest.process --name busybox1 busybox nc -l -p 8080


internet_packet_t and intranet_packet_t are already part of Fedora selinux-policy.