diff options
author | Billy McFall <bmcfall@redhat.com> | 2018-01-15 17:54:52 -0500 |
---|---|---|
committer | Damjan Marion <dmarion.lists@gmail.com> | 2018-01-30 13:26:20 +0000 |
commit | 28cf3b7da279c0755f6dc345c0973d1e3017e9ca (patch) | |
tree | ff82873f655f6b52e1673df75f3a12b19c106fde /src/vlib/unix | |
parent | c0379aec241c78fe07074fa7e63a5009a4e7944a (diff) |
VPP-899: Run VPP under SELinux
Add an SELinux profile such that VPP can run under SELinux on RPM based
platforms. The SELinux Policy is currently only implemented for RPM
packages, specifically, Fedora, CentOS and RHEL. Doxygen User
Documentation has been included (selinux_doc.md). Once some discussion
on file locations has completed (see vpp-devlist), updates to the Debug
CLI documentation will also need to be updated.
Additional changes:
Patch Set 2:
- Rework selinux_doc.md such that each line is only 80 characters
instead of each sentence on a line. Made additonal minor chnages
to the text.
- Update vHost Debug CLI documentation to reflex new socket location.
Cleaned up some text from when I originally wrote it, to better
reflex proper use.
- Update exec Debug CLI documentation to be more inline with suggested
helptext, added text regarding recommended script file location.
- For Debian builds, create the /var/log/vpp/ directory. I don't use
Debian very much, so please pay extra attention to
build-data/platforms.mk and build-root/deb/debian/.gitignore.
- Per discussion on VPP call, changed the default log location to
/var/log/vpp/vpp.log.
- Changed the socket location for vHost in AutoConfig to
/var/run/vpp/.
Patch Set 3:
- Update selinux_doc.md based on comments.
Change-Id: I400520dc33f1ca51012d09ef8fe5a7b7b96c631e
Signed-off-by: Billy McFall <bmcfall@redhat.com>
Diffstat (limited to 'src/vlib/unix')
-rw-r--r-- | src/vlib/unix/cli.c | 24 |
1 files changed, 20 insertions, 4 deletions
diff --git a/src/vlib/unix/cli.c b/src/vlib/unix/cli.c index 9f5862a036f..0cf4ed38fe3 100644 --- a/src/vlib/unix/cli.c +++ b/src/vlib/unix/cli.c @@ -3011,16 +3011,32 @@ done: } /*? - * Executes a sequence of CLI commands which are read from a file. - * - * If a command is unrecognised or otherwise invalid then the usual CLI + * Executes a sequence of CLI commands which are read from a file. If + * a command is unrecognised or otherwise invalid then the usual CLI * feedback will be generated, however execution of subsequent commands * from the file will continue. + * + * The VPP code is indifferent to the file location. However, if SELinux + * is enabled, then the file needs to have an SELinux label the VPP + * process is allowed to access. For example, if a file is created in + * '<em>/usr/share/vpp/</em>', it will be allowed. However, files manually + * created in '/tmp/' or '/home/<user>/' will not be accessible by the VPP + * process when SELinux is enabled. + * + * @cliexpar + * Sample file: + * @clistart + * <b><em>$ cat /usr/share/vpp/scripts/gigup.txt</em></b> + * set interface state GigabitEthernet0/8/0 up + * set interface state GigabitEthernet0/9/0 up + * @cliend + * Example of how to execute a set of CLI commands from a file: + * @cliexcmd{exec /usr/share/vpp/scripts/gigup.txt} ?*/ /* *INDENT-OFF* */ VLIB_CLI_COMMAND (cli_exec, static) = { .path = "exec", - .short_help = "Execute commands from file", + .short_help = "exec <filename>", .function = unix_cli_exec, .is_mp_safe = 1, }; |