VPP-899: Run VPP under SELinux

Add an SELinux profile such that VPP can run under SELinux on RPM based
platforms. The SELinux Policy is currently only implemented for RPM
packages, specifically, Fedora, CentOS and RHEL. Doxygen User
Documentation has been included (selinux_doc.md). Once some discussion
on file locations has completed (see vpp-devlist), updates to the Debug
CLI documentation will also need to be updated.

Additional changes:
Patch Set 2:
- Rework selinux_doc.md such that each line is only 80 characters
  instead of each sentence on a line. Made additonal minor chnages
  to the text.
- Update vHost Debug CLI documentation to reflex new socket location.
  Cleaned up some text from when I originally wrote it, to better
  reflex proper use.
- Update exec Debug CLI documentation to be more inline with suggested
  helptext, added text regarding recommended script file location.
- For Debian builds, create the /var/log/vpp/ directory. I don't use
  Debian very much, so please pay extra attention to
  build-data/platforms.mk and build-root/deb/debian/.gitignore.
- Per discussion on VPP call, changed the default log location to
  /var/log/vpp/vpp.log.
- Changed the socket location for vHost in AutoConfig to
  /var/run/vpp/.
Patch Set 3:
- Update selinux_doc.md based on comments.

Change-Id: I400520dc33f1ca51012d09ef8fe5a7b7b96c631e
Signed-off-by: Billy McFall <bmcfall@redhat.com>

3 files changed, 38 insertions, 18 deletions

diff --git a/src/vlib/unix/cli.c b/src/vlib/unix/cli.c
index 9f5862a036f..0cf4ed38fe3 100644
--- a/src/vlib/unix/cli.c
+++ b/src/vlib/unix/cli.c
@@ -3011,16 +3011,32 @@ done:
 }
 
 /*?
- * Executes a sequence of CLI commands which are read from a file.
- *
- * If a command is unrecognised or otherwise invalid then the usual CLI
+ * Executes a sequence of CLI commands which are read from a file. If
+ * a command is unrecognised or otherwise invalid then the usual CLI
  * feedback will be generated, however execution of subsequent commands
  * from the file will continue.
+ *
+ * The VPP code is indifferent to the file location. However, if SELinux
+ * is enabled, then the file needs to have an SELinux label the VPP
+ * process is allowed to access. For example, if a file is created in
+ * '<em>/usr/share/vpp/</em>', it will be allowed. However, files manually
+ * created in '/tmp/' or '/home/<user>/' will not be accessible by the VPP
+ * process when SELinux is enabled.
+ *
+ * @cliexpar
+ * Sample file:
+ * @clistart
+ * <b><em>$ cat /usr/share/vpp/scripts/gigup.txt</em></b>
+ * set interface state GigabitEthernet0/8/0 up
+ * set interface state GigabitEthernet0/9/0 up
+ * @cliend
+ * Example of how to execute a set of CLI commands from a file:
+ * @cliexcmd{exec /usr/share/vpp/scripts/gigup.txt}
 ?*/
 /* *INDENT-OFF* */
 VLIB_CLI_COMMAND (cli_exec, static) = {
   .path = "exec",
-  .short_help = "Execute commands from file",
+  .short_help = "exec <filename>",
   .function = unix_cli_exec,
   .is_mp_safe = 1,
 };
diff --git a/src/vnet/devices/virtio/vhost-user.c b/src/vnet/devices/virtio/vhost-user.c
index c7820406538..874a97dbd77 100644
--- a/src/vnet/devices/virtio/vhost-user.c
+++ b/src/vnet/devices/virtio/vhost-user.c
@@ -3355,16 +3355,23 @@ done:
  *
  * There are several parameters associated with a vHost interface:
  *
- * - <b>socket <socket-filename></b> - Name of the linux socket used by QEMU/VM and
- * VPP to manage the vHost interface. If socket does not already exist, VPP will
- * create the socket.
+ * - <b>socket <socket-filename></b> - Name of the linux socket used by hypervisor
+ * and VPP to manage the vHost interface. If in '<em>server</em>' mode, VPP will
+ * create the socket if it does not already exist. If in '<em>client</em>' mode,
+ * hypervisor will create the socket if it does not already exist. The VPP code
+ * is indifferent to the file location. However, if SELinux is enabled, then the
+ * socket needs to be created in '<em>/var/run/vpp/</em>'.
  *
- * - <b>server</b> - Optional flag to indicate that VPP should be the server for the
- * linux socket. If not provided, VPP will be the client.
+ * - <b>server</b> - Optional flag to indicate that VPP should be the server for
+ * the linux socket. If not provided, VPP will be the client. In '<em>server</em>'
+ *  mode, the VM can be reset without tearing down the vHost Interface. In
+ * '<em>client</em>' mode, VPP can be reset without bringing down the VM and
+ * tearing down the vHost Interface.
  *
  * - <b>feature-mask <hex></b> - Optional virtio/vhost feature set negotiated at
- * startup. By default, all supported features will be advertised. Otherwise,
- * provide the set of features desired.
+ * startup. <b>This is intended for degugging only.</b> It is recommended that this
+ * parameter not be used except by experienced users. By default, all supported
+ * features will be advertised. Otherwise, provide the set of features desired.
  *   - 0x000008000 (15) - VIRTIO_NET_F_MRG_RXBUF
  *   - 0x000020000 (17) - VIRTIO_NET_F_CTRL_VQ
  *   - 0x000200000 (21) - VIRTIO_NET_F_GUEST_ANNOUNCE
@@ -3382,17 +3389,14 @@ done:
  * in the name to be specified. If instance already exists, name will be used
  * anyway and multiple instances will have the same name. Use with caution.
  *
- * - <b>mode [interrupt | polling]</b> - Optional parameter specifying
- * the input thread polling policy.
- *
  * @cliexpar
  * Example of how to create a vhost interface with VPP as the client and all features enabled:
- * @cliexstart{create vhost-user socket /tmp/vhost1.sock}
+ * @cliexstart{create vhost-user socket /var/run/vpp/vhost1.sock}
  * VirtualEthernet0/0/0
  * @cliexend
  * Example of how to create a vhost interface with VPP as the server and with just
  * multiple queues enabled:
- * @cliexstart{create vhost-user socket /tmp/vhost2.sock server feature-mask 0x40400000}
+ * @cliexstart{create vhost-user socket /var/run/vpp/vhost2.sock server feature-mask 0x40400000}
  * VirtualEthernet0/0/1
  * @cliexend
  * Once the vHost interface is created, enable the interface using:
@@ -3451,7 +3455,7 @@ VLIB_CLI_COMMAND (vhost_user_delete_command, static) = {
  *    VHOST_USER_PROTOCOL_F_MQ (0)
  *    VHOST_USER_PROTOCOL_F_LOG_SHMFD (1)
  *
- *  socket filename /tmp/vhost1.sock type client errno "Success"
+ *  socket filename /var/run/vpp/vhost1.sock type client errno "Success"
  *
  * rx placement:
  *    thread 1 on vring 1
diff --git a/src/vpp/conf/startup.conf b/src/vpp/conf/startup.conf
index b18c6743869..2a12ef9ec2a 100644
--- a/src/vpp/conf/startup.conf
+++ b/src/vpp/conf/startup.conf
@@ -1,7 +1,7 @@
 
 unix {
   nodaemon
-  log /tmp/vpp.log
+  log /var/log/vpp/vpp.log
   full-coredump
   cli-listen /run/vpp/cli.sock
   gid vpp