VPP-899: Run VPP under SELinux

Add an SELinux profile such that VPP can run under SELinux on RPM based
platforms. The SELinux Policy is currently only implemented for RPM
packages, specifically, Fedora, CentOS and RHEL. Doxygen User
Documentation has been included (selinux_doc.md). Once some discussion
on file locations has completed (see vpp-devlist), updates to the Debug
CLI documentation will also need to be updated.

Additional changes:
Patch Set 2:
- Rework selinux_doc.md such that each line is only 80 characters
  instead of each sentence on a line. Made additonal minor chnages
  to the text.
- Update vHost Debug CLI documentation to reflex new socket location.
  Cleaned up some text from when I originally wrote it, to better
  reflex proper use.
- Update exec Debug CLI documentation to be more inline with suggested
  helptext, added text regarding recommended script file location.
- For Debian builds, create the /var/log/vpp/ directory. I don't use
  Debian very much, so please pay extra attention to
  build-data/platforms.mk and build-root/deb/debian/.gitignore.
- Per discussion on VPP call, changed the default log location to
  /var/log/vpp/vpp.log.
- Changed the socket location for vHost in AutoConfig to
  /var/run/vpp/.
Patch Set 3:
- Update selinux_doc.md based on comments.

Change-Id: I400520dc33f1ca51012d09ef8fe5a7b7b96c631e
Signed-off-by: Billy McFall <bmcfall@redhat.com>

1 files changed, 139 insertions, 0 deletions

diff --git a/extras/selinux/vpp-custom.te b/extras/selinux/vpp-custom.te
new file mode 100644
index 00000000000..e0a1f64d018
--- /dev/null
+++ b/extras/selinux/vpp-custom.te
@@ -0,0 +1,139 @@
+policy_module(vpp-custom,1.0)
+
+########################################
+#
+# Declarations
+#
+
+gen_require(`
+    type hugetlbfs_t;
+    type svirt_t;
+    type svirt_image_t;
+    type systemd_sysctl_t;
+    class capability sys_admin;
+')
+
+type vpp_t;
+type vpp_exec_t;
+init_daemon_domain(vpp_t, vpp_exec_t)
+
+type vpp_config_rw_t;
+files_config_file(vpp_config_rw_t)
+
+type vpp_lib_t; # if there is vpp_var_lib_t, we don't need vpp_lib_t
+files_type(vpp_lib_t)
+
+type vpp_log_t;
+logging_log_file(vpp_log_t)
+
+type vpp_var_run_t;
+files_type(vpp_var_run_t)
+
+type vpp_unit_file_t;
+systemd_unit_file(vpp_unit_file_t)
+
+type vpp_tmpfs_t;
+files_tmpfs_file(vpp_tmpfs_t)
+
+type vpp_tmp_t;
+files_tmp_file(vpp_tmp_t)
+
+########################################
+#
+# vpp local policy
+#
+
+allow vpp_t self:capability { dac_override ipc_lock setgid sys_rawio net_raw sys_admin }; # too benefolent
+dontaudit vpp_t self:capability2 block_suspend;
+allow vpp_t self:process { execmem execstack setsched signal }; # too benefolent
+allow vpp_t self:packet_socket { bind create setopt ioctl };
+allow vpp_t self:tun_socket { create relabelto relabelfrom };
+allow vpp_t self:udp_socket { create ioctl };
+allow vpp_t self:unix_dgram_socket { connect create ioctl };
+allow vpp_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+manage_dirs_pattern(vpp_t, vpp_lib_t, vpp_lib_t)
+manage_files_pattern(vpp_t, vpp_lib_t, vpp_lib_t)
+allow vpp_t vpp_lib_t:file execute;
+files_var_lib_filetrans(vpp_t, vpp_lib_t, {file dir})
+
+manage_dirs_pattern(vpp_t, vpp_log_t, vpp_log_t)
+manage_files_pattern(vpp_t, vpp_log_t, vpp_log_t)
+logging_log_filetrans(vpp_t, vpp_log_t, {file dir})
+
+manage_dirs_pattern(vpp_t, vpp_var_run_t, vpp_var_run_t)
+manage_files_pattern(vpp_t, vpp_var_run_t, vpp_var_run_t)
+manage_sock_files_pattern(vpp_t, vpp_var_run_t, vpp_var_run_t)
+allow vpp_t vpp_var_run_t:dir mounton;
+files_pid_filetrans(vpp_t, vpp_var_run_t, { dir sock_file file })
+
+manage_dirs_pattern(vpp_t, vpp_tmp_t, vpp_tmp_t)
+manage_files_pattern(vpp_t, vpp_tmp_t, vpp_tmp_t)
+manage_sock_files_pattern(vpp_t, vpp_tmp_t, vpp_tmp_t)
+allow vpp_t vpp_tmp_t:dir mounton;
+files_tmp_filetrans(vpp_t, vpp_tmp_t, { dir sock_file file })
+
+manage_dirs_pattern(vpp_t, vpp_tmpfs_t, vpp_tmpfs_t)
+manage_files_pattern(vpp_t, vpp_tmpfs_t, vpp_tmpfs_t)
+fs_tmpfs_filetrans(vpp_t, vpp_tmpfs_t, { dir file })
+
+read_files_pattern(vpp_t, vpp_config_rw_t, vpp_config_rw_t)
+
+kernel_read_system_state(vpp_t)
+kernel_read_network_state(vpp_t)
+kernel_dgram_send(vpp_t)
+kernel_request_load_module(vpp_t)
+
+auth_read_passwd(vpp_t)
+
+corenet_rw_tun_tap_dev(vpp_t)
+
+dev_rw_userio_dev(vpp_t)
+dev_rw_sysfs(vpp_t)
+dev_read_cpuid(vpp_t)
+dev_rw_vfio_dev(vpp_t)
+
+domain_obj_id_change_exemption(vpp_t)
+
+fs_manage_hugetlbfs_dirs(vpp_t)
+fs_manage_hugetlbfs_files(vpp_t)
+allow vpp_t hugetlbfs_t:filesystem { getattr mount unmount };
+fs_getattr_tmpfs(vpp_t)
+
+logging_send_syslog_msg(vpp_t)
+
+miscfiles_read_generic_certs(vpp_t)
+
+userdom_list_user_home_content(vpp_t)
+
+optional_policy(`
+    virt_stream_connect_svirt(vpp_t)
+')
+
+optional_policy(`
+    unconfined_attach_tun_iface(vpp_t)
+')
+
+
+########################################
+#
+# svirt local policy for vpp
+#
+
+allow svirt_t vpp_t:unix_stream_socket connectto;
+
+manage_dirs_pattern(svirt_t, vpp_var_run_t, vpp_var_run_t)
+manage_files_pattern(svirt_t, vpp_var_run_t, vpp_var_run_t)
+manage_sock_files_pattern(svirt_t, vpp_var_run_t, vpp_var_run_t)
+
+allow vpp_t svirt_image_t:file { read write };
+
+
+########################################
+#
+# systemd_sysctl_t local policy for vpp
+#
+
+read_files_pattern(systemd_sysctl_t, vpp_config_rw_t, vpp_config_rw_t)
+
+