The VPP Custom SELinux Policy has been merged to master. This is a heads up for CentOS, Fedora and RHEL, this patch introduces new package dependencies: selinux-policy selinux-policy-devel
Depending on your system and what is currently installed, you may need to re-run `make install-dep` to pickup these new packages. If anyone runs into any issues on CentOS/Fedora/RHEL, drop me an email and I'll take a look. Thanks, Billy McFall On Mon, Jan 15, 2018 at 6:09 PM, Billy McFall <bmcf...@redhat.com> wrote: > I have pushed an initial pass at a VPP Custom SELinux Policy to Gerrit for > review. Prior to the start this venture, I knew zero about SELinux, so > please let me know if you see something you don't like. That being said, > the internal Red Hat SELinux team has reviewed and blessed it. If you have > any interest, see: https://gerrit.fd.io/r/#/c/10111/ > > As far as I know, Debian tends not to use SELinux in favor of AppArmor. So > the SELinux Policy is currently only implemented for RPM packages, > specifically, Fedora, CentOS and RHEL. I have been in touch with Marco > regarding Suse and we will follow up with that separately. > > I used the following document to keep track of notes as I implemented the > VPP Custom SELinux Policy: VPP_SELinux_FilesAndLabels > <https://docs.google.com/document/d/1OEAodU3lY3z0qLrxOmdvwqdfZCWbzLs-6Z77CeWEHE0/edit?usp=sharing> > Primarily, the document lists: > * Questions raised during implementation (most of which have been answered) > * List of files added to the system by VPP and the SELinux label they were > assigned, if any. > * List of files remaining on a system once VPP was uninstalled. > * Test Cases > > > Below are some questions about file and socket names and directories. Most > of these are file names and directories input by the user, so it is a > question of how we document it. Some of these only matter if SELinux is > enabled, so I don't want to force a change for the non-SELinux users. > However, I would like a discussion around the directories files are place > in. > > * Scripts > The Wiki (https://wiki.fd.io/view/VPP/Command-line_Interface_(CLI)_Gu > ide#command_scripts) shows examples of running command scripts out of > /tmp (i.e. - vppctl exec /tmp/script). With SELinux enabled, user created > scripts out of '/tmp' and '/home/<user>/' will not execute due to > permissions. I did all my testing by moving my scripts to > '/usr/share/vpp/scripts/'. The other option is to create a '/tmp/vpp/' > directory which I can add a rule to label as 'vpp_tmp_t' (which I have not > done yet, but can do easily). Any thoughts or preferences? > > * vHost Sockets > There is a lot of discussion online about location and permissions around > vhost sockets, primarily with regards to OVS. In server mode (from vSwitch > perspective), OVS settled on '/var/run/openvswitch/', and in Client Mode > (again from vSwitch perspective), > OpenStack wants '/var/lib/vhost_sockets/'. FYI - OVS is deprecating Server > mode going forward. > > The Wiki and CLI Doxygen documentation for VPP show examples of vhost > sockets being created in '/tmp/'. I would like to update the documentation > to point to '/var/run/vpp/' for vhost sockets. I still have work to do on > permissions to get something like '/var/lib/vhost_sockets/' in client mode > working properly. Once again, this is purely what the documentation shows, > code doesn't care about location if SELinux is disabled. > > * Log Files: > Just curious if there was any reason the default location for the log file > was '/tmp/vpp.log' and not something like '/var/log/vpp/vpp.log'? > > As is, '/tmp/vpp.log' will get labeled with 'vpp_tmp_t' and works fine. > However, I also created 'vpp_log_t' along with a '/var/log/vpp/' directory > if we want to use it. By moving it, it can get labeled with vpp_var_run_t > and the correct permissions for things logrotate are set properly. > > Thanks, > Billy McFall > > -- > *Billy McFall* > Networking Group > CTO Office > *Red Hat* > -- *Billy McFall* Networking Group CTO Office *Red Hat*
_______________________________________________ vpp-dev mailing list vpp-dev@lists.fd.io https://lists.fd.io/mailman/listinfo/vpp-dev
