7 files changed, 536 insertions, 4 deletions

diff --git a/extras/rpm/vpp.spec b/extras/rpm/vpp.spec
index 532b9a219d4..d3bc517c5b4 100644
--- a/extras/rpm/vpp.spec
+++ b/extras/rpm/vpp.spec
@@ -24,12 +24,30 @@
 
 %{?systemd_requires}
 
+
+# SELinux Related definitions
+%global selinuxtype targeted
+%global moduletype  services
+%global modulenames vpp-custom
+
+# Usage: _format var format
+#   Expand 'modulenames' into various formats as needed
+#   Format must contain '$x' somewhere to do anything useful
+%global _format() export %1=""; for x in %{modulenames}; do %1+=%2; %1+=" "; done;
+
+# Relabel files
+%global relabel_files() \ # ADD files in *.fc file
+
+# Version of distribution SELinux policy package
+%global selinux_policyver 3.13.1-128.6.fc22
+
+
 Name: vpp
 Summary: Vector Packet Processing
 License: ASL 2.0
 Version: %{_version}
 Release: %{_release}
-Requires: vpp-lib = %{_version}-%{_release}, net-tools, pciutils, python
+Requires: vpp-lib = %{_version}-%{_release}, vpp-selinux-policy = %{_version}-%{_release}, net-tools, pciutils, python
 BuildRequires: systemd, chrpath
 BuildRequires: check, check-devel
 BuildRequires: subunit, subunit-devel
@@ -51,6 +69,7 @@ BuildRequires: apr-devel
 BuildRequires: numactl-devel
 BuildRequires: autoconf automake libtool byacc bison flex
 BuildRequires: boost boost-devel
+BuildRequires: selinux-policy selinux-policy-devel
 
 Source: %{name}-%{_version}-%{_release}.tar.xz
 # Source: vpp-latest.tar.xz
@@ -64,6 +83,7 @@ vpp_json_test - vector packet engine JSON test tool
 %package lib
 Summary: VPP libraries
 Group: System Environment/Libraries
+Requires: vpp-selinux-policy = %{_version}-%{_release}
 
 %description lib
 This package contains the VPP shared libraries, including:
@@ -119,6 +139,14 @@ Requires: vpp = %{_version}-%{_release}, vpp-lib = %{_version}-%{_release}, pyth
 %description api-python
 This package contains the python bindings for the vpp api
 
+%package selinux-policy
+Summary: VPP Security-Enhanced Linux (SELinux) policy
+Group: System Environment/Base
+Requires(post): selinux-policy-base >= %{selinux_policyver}, selinux-policy-targeted >= %{selinux_policyver}, policycoreutils, policycoreutils-python libselinux-utils
+
+%description selinux-policy
+This package contains a tailored VPP SELinux policy
+
 %prep
 # Unpack into dir with longer name as work around of debugedit bug in in rpm-build 4.13
 rm -rf %{name}-%{_version}
@@ -142,6 +170,7 @@ cd '%{_tmp_build_dir}'
     make -C build-root PLATFORM=vpp AESNI=n TAG=%{_vpp_tag} install-packages
 %endif
 cd %{_mu_build_dir}/../src/vpp-api/python && %py2_build
+cd %{_mu_build_dir}/../extras/selinux && make -f %{_datadir}/selinux/devel/Makefile
 
 %install
 #
@@ -207,6 +236,19 @@ done
 # Python bindings
 cd %{_mu_build_dir}/../src/vpp-api/python && %py2_install
 
+# SELinux Policy
+# Install SELinux interfaces
+%_format INTERFACES %{_mu_build_dir}/../extras/selinux/$x.if
+install -d %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}
+install -p -m 644 $INTERFACES \
+    %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}
+
+# Install policy modules
+%_format MODULES %{_mu_build_dir}/../extras/selinux/$x.pp
+install -d %{buildroot}%{_datadir}/selinux/packages
+install -m 0644 $MODULES \
+    %{buildroot}%{_datadir}/selinux/packages
+
 #
 # devel
 #
@@ -237,6 +279,10 @@ do
 	   %{buildroot}/usr/share/doc/vpp/examples/sample-plugin/$file )
 done
 
+# vppctl sockfile directory
+mkdir -p -m755 %{buildroot}%{_localstatedir}/run/vpp
+# vpp.log directory
+mkdir -p -m755 %{buildroot}%{_localstatedir}/log/vpp
 
 #
 # vpp-plugins
@@ -274,6 +320,15 @@ fi
 %preun
 %systemd_preun vpp.service
 
+%post selinux-policy
+%_format MODULES %{_datadir}/selinux/packages/$x.pp
+%{_sbindir}/semodule -n -X 400 -s %{selinuxtype} -i $MODULES
+if %{_sbindir}/selinuxenabled ; then
+    %{_sbindir}/load_policy
+    %relabel_files
+fi
+
+
 %postun
 %systemd_postun
 if [ $1 -eq 0 ] ; then
@@ -299,6 +354,15 @@ else
     echo "Upgrading package, dont' unbind interfaces"
 fi
 
+%postun selinux-policy
+if [ $1 -eq 0 ]; then
+    %{_sbindir}/semodule -n -r %{modulenames}
+    if %{_sbindir}/selinuxenabled ; then
+        %{_sbindir}/load_policy
+        %relabel_files
+    fi
+fi
+
 %files
 %defattr(-,bin,bin)
 %{_unitdir}/vpp.service
@@ -309,6 +373,12 @@ fi
 %config(noreplace) /etc/vpp/startup.conf
 /usr/share/vpp/api/*
 
+%defattr(-,root,vpp)
+%{_localstatedir}/run/vpp*
+
+%defattr(-,root,root)
+%{_localstatedir}/log/vpp*
+
 %files lib
 %defattr(-,bin,bin)
 %exclude %{_libdir}/vpp_plugins
@@ -330,6 +400,11 @@ fi
 %defattr(644,root,root)
 %{python2_sitelib}/vpp_papi*
 
+%files selinux-policy
+%defattr(-,root,root,0755)
+%attr(0644,root,root) %{_datadir}/selinux/packages/*.pp
+%attr(0644,root,root) %{_datadir}/selinux/devel/include/%{moduletype}/*.if
+
 %files devel
 %defattr(-,bin,bin)
 /usr/bin/vppapigen
diff --git a/extras/selinux/selinux_doc.md b/extras/selinux/selinux_doc.md
new file mode 100644
index 00000000000..e71bd658286
--- /dev/null
+++ b/extras/selinux/selinux_doc.md
@@ -0,0 +1,294 @@
+# SELinux - VPP Custom SELinux Policy    {#selinux_doc}
+
+## Overview
+
+Security-enhanced Linux (SELinux) is a security feature in the Linux kernel. At
+a very high level, SELinux implements mandatory access controls (MAC), as
+opposed to discretionary access control (DAC) implemented in standard Linux. MAC
+defines how processes can interact with other system components (Files,
+Directories, Other Processes, Pipes, Sockets, Network Ports). Each system
+component is assigned a label, and then the SELinux Policy defines which labels
+and which actions on each label a process is able to perform. The VPP Custom
+SELinux Policy defines the actions VPP is allowed to perform on which labels.
+
+The VPP Custom SELinux Policy is intended to be installed on RPM based platforms
+(tested on CentOS 7 and RHEL 7). Though SELinux can run on Debian platforms, it
+typically is not and therefore is not currently being built for Debian.
+
+The VPP Custom SELinux Policy does not enable or disable SELinux, only allows
+VPP to run when SELinux is enabled. A fresh install of either Fedora, CentOS or
+RHEL will have SELinux enabled by default. To determine if SELinux is enabled on
+a given system and enable it if needed, run:
+
+```
+   $ getenforce
+   Permissive
+
+   $ sudo setenforce 1
+
+   $ getenforce
+   Enforcing
+```
+
+To make the change persistent, modify the following file to set
+`SELINUX=enforcing`:
+
+```
+   $ sudo vi /etc/selinux/config
+   :
+   # This file controls the state of SELinux on the system.
+   # SELINUX= can take one of these three values:
+   #     enforcing - SELinux security policy is enforced.
+   #     permissive - SELinux prints warnings instead of enforcing.
+   #     disabled - No SELinux policy is loaded.
+   SELINUX=enforcing
+   :
+```
+
+## Installation
+
+To install VPP, see the installation instructions on the VPP Wiki
+(https://wiki.fd.io/view/VPP/Installing_VPP_binaries_from_packages). The VPP
+Custom SELinux Policy is packaged in its own RPM starting in 18.04,
+`vpp-selinux-policy-<VERSION>-<RELEASE>.rpm`. It is packaged and installed along
+with the other VPP RPMs.
+
+### Fresh Install of VPP
+
+If VPP has never been installed on a system, then starting in 18.04, the VPP
+Custom SELinux Policy will be installed with the other RPMs and all the system
+components managed by VPP will be labeled properly.
+
+### Fix SELinux Labels for VPP
+In the case where the VPP Custom Policy is being installed for the first time,
+either because VPP has been upgraded or packages were removed and then
+reinstalled, several directories and files will not not be properly labeled. The
+labels on these files will need to be fixed for VPP to run properly with SELinux
+enabled. After the VPP Custom SELinux Policy is installed, run the following
+commands to fix the labels. If VPP is already running, make sure to restart
+VPP after the labels are fixed. This change is persistent for the life of the
+file. Once the VPP Custom Policy is installed on the system, subsequent files
+created by VPP will be labeled properly. This is only to fix files created by
+VPP prior to the VPP Custom Policy being installed.
+
+```
+  $ sudo restorecon -Rv /etc/vpp/
+  $ sudo restorecon -Rv /usr/lib/vpp_api_test_plugins/
+  $ sudo restorecon -Rv /usr/lib/vpp_plugins/
+  $ sudo restorecon -Rv /usr/share/vpp/
+  $ sudo restorecon -Rv /var/run/vpp/
+
+  $ sudo chcon -t vpp_tmp_t /tmp/vpp_*
+  $ sudo chcon -t vpp_var_run_t /var/run/.vpp_*
+```
+
+**NOTE:** Because the VPP APIs allow custom filenames in certain scenarios, the
+above commands may not handle all files. Inspect your system and correct any
+files that are mislabeled. For example, to verify all VPP files in `/tmp/` are
+labeled properly, run:
+
+```
+  $ sudo ls -alZ /tmp/
+```
+
+Any files not properly labeled with `vpp_tmp_t`, run:
+
+```
+  $ sudo chcon -t vpp_tmp_t /tmp/<filename>
+```
+
+## VPP Files
+
+### Recommended Default File Directories
+
+Documentation in the VPP Wiki (https://wiki.fd.io/view/VPP/) and doxygen
+generated documentation have examples with files located in certain directories.
+Some of the recommend file locations have been moved to satisfy SELinux. Most of
+the documentation has been updated, but links to older documentation still exist
+and there may have been instances that were missed. Use the file locations
+described below to allow SELinux to properly label the given files.
+
+File locations that have changed:
+* VPP Debug CLI Script Files
+* vHost Sockets
+* VPP Log Files
+
+#### VPP Debug CLI Script Files
+
+The VPP Debug CLI, `vppctl`, allows a sequence of CLI commands to be read from a
+file and executed. To avoid from having to grant VPP access to all of `/tmp/` and
+possibly `/home/` sub-directories, it is recommended that any VPP Debug CLI script
+files be placed in a common directory such as `/usr/share/vpp/`.
+
+For example:
+```
+$ cat /usr/share/vpp/scripts/gigup.txt
+set interface state GigabitEthernet0/8/0 up
+set interface state GigabitEthernet0/9/0 up
+```
+
+To execute:
+```
+$ vppctl exec /usr/share/vpp/scripts/gigup.txt
+```
+Or
+```
+$ vppctl
+    _______    _        _   _____  ___
+ __/ __/ _ \  (_)__    | | / / _ \/ _ \
+ _/ _// // / / / _ \   | |/ / ___/ ___/
+ /_/ /____(_)_/\___/   |___/_/  /_/
+
+vpp# exec /usr/share/vpp/scripts/gigup.txt
+vpp# quit
+
+```
+
+If the file is not labeled properly, you will see something similar to:
+```
+$ vppctl exec /home/<user>/dev/vpp/scripts/vppctl/gigup.txt
+exec: failed to open `/home/<user>/dev/vpp/scripts/vppctl/gigup.txt': Permission denied
+
+$ ls -alZ
+drwxrwxr-x. <user> <user> unconfined_u:object_r:user_home_t:s0 .
+drwxrwxr-x. <user> <user> unconfined_u:object_r:user_home_t:s0 ..
+-rw-r--r--. <user> <user> unconfined_u:object_r:user_home_t:s0 gigup.txt
+```
+
+##### Original Documentation
+
+Some of the original documentation showed script files being executed out of
+`/tmp/`. Convenience also may lead to script files being placed in
+`/home/<user>/` subdirectories. If a file is generated by the VPP process in
+`/tmp/`, for example a trace file or pcap file, it will get properly labeled
+with the SELinux label `vpp_tmp_t`. When a file is created, unless a rule is in
+place for the process that created it, the file will inherit the SELinux label
+of the parent directory. So if a user creates a file themselves in `/tmp/`, it
+will get the SELinux label `tmp_t`, which VPP does not have permission to
+access. Therefore it is recommended that script files are located as described
+above.
+
+#### vHost Sockets
+
+vHost sockets are created from VPP perspective in either Server or Client mode.
+In Server mode, the socket name is provided to VPP and VPP creates the socket.
+In Client mode, the socket name is provided to VPP and the hypervisor creates
+the socket. In order for VPP and hypervisor to share the socket resource with
+SELinux enabled, a rule in the VPP Custom SELinux Policy has been added. This
+rules allows processes with the `svirt_t` label (the hypervisor) to access
+sockets with the `vpp_var_run_t` label. As such, when SELinux is enabled,
+vHost sockets should be created in the directory `/var/run/vpp/`.
+
+##### Original Documentation
+
+Some of the original documentation showed vHost sockets being created in the
+directory `/tmp/`. To work properly with SELinux enabled, vHost sockets should be
+created as described above.
+
+#### VPP Log Files
+
+The VPP log file location is set by updating the `/etc/vpp/startup.conf` file:
+
+```
+vi /etc/vpp/startup.conf
+unix {
+:
+  log /var/log/vpp/vpp.log
+:
+}
+
+```
+
+By moving the log file to `/var/log/vpp/`, it will get the label `vpp_log_t`,
+which indicates that the files are log files so they benefit from the
+associated rules (for example granting rights to logrotate so that it can
+manipulate them).
+
+##### Original Documentation
+
+The default `startup.conf` file creates the VPP log file in `/tmp/vpp.log`. By
+leaving the log file in `/tmp/`, it will get the label `vpp_tmp_t`. Moving it
+to `/var/log/vpp/`, it will get the label `vpp_log_t`.
+
+### Use of Non-default File Directories
+
+VPP installs multiple files on the system.
+Some files have fixed directory and file names:
+- /etc/bash_completion.d/vppctl_completion
+- /etc/sysctl.d/80-vpp.conf
+- /usr/lib/systemd/system/vpp.service
+
+Others files have default directory and file names but the default can be
+overwritten:
+- /etc/vpp/startup.conf
+  - Can be changed via the `/usr/lib/systemd/system/vpp.service` file by
+    changing the -c option on the VPP command line:
+
+```
+ExecStart=/usr/bin/vpp -c /etc/vpp/startup.conf
+```
+
+- /run/vpp/cli.sock
+  - Can be changed via the `/etc/vpp/startup.conf` file by changing the
+    cli-listen setting:
+
+```
+unix {
+:
+  cli-listen /run/vpp/cli.sock
+:
+}
+```
+
+
+- /var/log/vpp/vpp.log
+  - Can be changed via the `/etc/vpp/startup.conf` file by changing the log
+    setting:
+
+```
+unix {
+  :
+  log /var/log/vpp/vpp.log
+  :
+}
+
+```
+
+If the directory of any VPP installed files is changed from the default, ensure
+that the proper SELiunx label is applied. The SELinux label can be determined by
+passing the -Z option to many common Linux commands:
+
+```
+ls -alZ /run/vpp/
+drwxr-xr-x. root vpp  system_u:object_r:vpp_var_run_t:s0 .
+drwxr-xr-x. root root system_u:object_r:var_run_t:s0     ..
+srwxrwxr-x. root vpp  system_u:object_r:vpp_var_run_t:s0 cli.sock
+```
+
+### VPP SELinux Types ###
+
+The following SELinux types are created by the VPP Custom SELinux Policy:
+- `vpp_t` - Applied to:
+  - VPP process and spawned threads.
+
+- `vpp_config_rw_t` - Applied to:
+  - `/etc/vpp/*`
+
+- `vpp_tmp_t` - Applied to:
+  - `/tmp/*`
+
+- `vpp_exec_t` - Applied to:
+  - `/usr/bin/*`
+
+- `vpp_lib_t` - Applied to:
+  - `/usr/lib/vpp_api_test_plugins/*`
+  - `/usr/lib/vpp_plugins/*`
+
+- `vpp_unit_file_t` - Applied to:
+  - `/usr/lib/systemd/system/vpp.*`
+
+- `vpp_log_t` - Applied to:
+  - `/var/log/vpp/*`
+
+- `vpp_var_run_t` - Applied to:
+  - `/var/run/vpp/*`
diff --git a/extras/selinux/vpp-custom.fc b/extras/selinux/vpp-custom.fc
new file mode 100644
index 00000000000..5b9d277ebea
--- /dev/null
+++ b/extras/selinux/vpp-custom.fc
@@ -0,0 +1,22 @@
+/etc/vpp(/.*)?					gen_context(system_u:object_r:vpp_config_rw_t,s0)
+
+/usr/bin/elftool			--	gen_context(system_u:object_r:vpp_exec_t,s0)
+/usr/bin/jvpp_gen.py			--	gen_context(system_u:object_r:vpp_exec_t,s0)
+/usr/bin/svmdbtool			--	gen_context(system_u:object_r:vpp_exec_t,s0)
+/usr/bin/svmtool			--	gen_context(system_u:object_r:vpp_exec_t,s0)
+/usr/bin/vpp				--	gen_context(system_u:object_r:vpp_exec_t,s0)
+/usr/bin/vppapigen			-- 	gen_context(system_u:object_r:vpp_exec_t,s0)
+/usr/bin/vpp_api_test			-- 	gen_context(system_u:object_r:vpp_exec_t,s0)
+/usr/bin/vppctl				--	gen_context(system_u:object_r:vpp_exec_t,s0)
+/usr/bin/vpp_get_metrics		--	gen_context(system_u:object_r:vpp_exec_t,s0)
+/usr/bin/vpp_json_test			--	gen_context(system_u:object_r:vpp_exec_t,s0)
+/usr/bin/vpp_restart			--	gen_context(system_u:object_r:vpp_exec_t,s0)
+
+/usr/lib/systemd/system/vpp.*		--	gen_context(system_u:object_r:vpp_unit_file_t,s0)
+
+/usr/lib/vpp_plugins(/.*)?			gen_context(system_u:object_r:vpp_lib_t,s0)
+/usr/lib/vpp_api_test_plugins(/.*)?		gen_context(system_u:object_r:vpp_lib_t,s0)
+
+/var/log/vpp(/.*)?				gen_context(system_u:object_r:vpp_log_t,s0)
+
+/var/run/vpp(/.*)?				gen_context(system_u:object_r:vpp_var_run_t,s0)
diff --git a/extras/selinux/vpp-custom.if b/extras/selinux/vpp-custom.if
new file mode 100644
index 00000000000..573da143cbb
--- /dev/null
+++ b/extras/selinux/vpp-custom.if
@@ -0,0 +1,2 @@
+##
+ VPP service.
\ No newline at end of file
diff --git a/extras/selinux/vpp-custom.te b/extras/selinux/vpp-custom.te
new file mode 100644
index 00000000000..e0a1f64d018
--- /dev/null
+++ b/extras/selinux/vpp-custom.te
@@ -0,0 +1,139 @@
+policy_module(vpp-custom,1.0)
+
+########################################
+#
+# Declarations
+#
+
+gen_require(`
+    type hugetlbfs_t;
+    type svirt_t;
+    type svirt_image_t;
+    type systemd_sysctl_t;
+    class capability sys_admin;
+')
+
+type vpp_t;
+type vpp_exec_t;
+init_daemon_domain(vpp_t, vpp_exec_t)
+
+type vpp_config_rw_t;
+files_config_file(vpp_config_rw_t)
+
+type vpp_lib_t; # if there is vpp_var_lib_t, we don't need vpp_lib_t
+files_type(vpp_lib_t)
+
+type vpp_log_t;
+logging_log_file(vpp_log_t)
+
+type vpp_var_run_t;
+files_type(vpp_var_run_t)
+
+type vpp_unit_file_t;
+systemd_unit_file(vpp_unit_file_t)
+
+type vpp_tmpfs_t;
+files_tmpfs_file(vpp_tmpfs_t)
+
+type vpp_tmp_t;
+files_tmp_file(vpp_tmp_t)
+
+########################################
+#
+# vpp local policy
+#
+
+allow vpp_t self:capability { dac_override ipc_lock setgid sys_rawio net_raw sys_admin }; # too benefolent
+dontaudit vpp_t self:capability2 block_suspend;
+allow vpp_t self:process { execmem execstack setsched signal }; # too benefolent
+allow vpp_t self:packet_socket { bind create setopt ioctl };
+allow vpp_t self:tun_socket { create relabelto relabelfrom };
+allow vpp_t self:udp_socket { create ioctl };
+allow vpp_t self:unix_dgram_socket { connect create ioctl };
+allow vpp_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+manage_dirs_pattern(vpp_t, vpp_lib_t, vpp_lib_t)
+manage_files_pattern(vpp_t, vpp_lib_t, vpp_lib_t)
+allow vpp_t vpp_lib_t:file execute;
+files_var_lib_filetrans(vpp_t, vpp_lib_t, {file dir})
+
+manage_dirs_pattern(vpp_t, vpp_log_t, vpp_log_t)
+manage_files_pattern(vpp_t, vpp_log_t, vpp_log_t)
+logging_log_filetrans(vpp_t, vpp_log_t, {file dir})
+
+manage_dirs_pattern(vpp_t, vpp_var_run_t, vpp_var_run_t)
+manage_files_pattern(vpp_t, vpp_var_run_t, vpp_var_run_t)
+manage_sock_files_pattern(vpp_t, vpp_var_run_t, vpp_var_run_t)
+allow vpp_t vpp_var_run_t:dir mounton;
+files_pid_filetrans(vpp_t, vpp_var_run_t, { dir sock_file file })
+
+manage_dirs_pattern(vpp_t, vpp_tmp_t, vpp_tmp_t)
+manage_files_pattern(vpp_t, vpp_tmp_t, vpp_tmp_t)
+manage_sock_files_pattern(vpp_t, vpp_tmp_t, vpp_tmp_t)
+allow vpp_t vpp_tmp_t:dir mounton;
+files_tmp_filetrans(vpp_t, vpp_tmp_t, { dir sock_file file })
+
+manage_dirs_pattern(vpp_t, vpp_tmpfs_t, vpp_tmpfs_t)
+manage_files_pattern(vpp_t, vpp_tmpfs_t, vpp_tmpfs_t)
+fs_tmpfs_filetrans(vpp_t, vpp_tmpfs_t, { dir file })
+
+read_files_pattern(vpp_t, vpp_config_rw_t, vpp_config_rw_t)
+
+kernel_read_system_state(vpp_t)
+kernel_read_network_state(vpp_t)
+kernel_dgram_send(vpp_t)
+kernel_request_load_module(vpp_t)
+
+auth_read_passwd(vpp_t)
+
+corenet_rw_tun_tap_dev(vpp_t)
+
+dev_rw_userio_dev(vpp_t)
+dev_rw_sysfs(vpp_t)
+dev_read_cpuid(vpp_t)
+dev_rw_vfio_dev(vpp_t)
+
+domain_obj_id_change_exemption(vpp_t)
+
+fs_manage_hugetlbfs_dirs(vpp_t)
+fs_manage_hugetlbfs_files(vpp_t)
+allow vpp_t hugetlbfs_t:filesystem { getattr mount unmount };
+fs_getattr_tmpfs(vpp_t)
+
+logging_send_syslog_msg(vpp_t)
+
+miscfiles_read_generic_certs(vpp_t)
+
+userdom_list_user_home_content(vpp_t)
+
+optional_policy(`
+    virt_stream_connect_svirt(vpp_t)
+')
+
+optional_policy(`
+    unconfined_attach_tun_iface(vpp_t)
+')
+
+
+########################################
+#
+# svirt local policy for vpp
+#
+
+allow svirt_t vpp_t:unix_stream_socket connectto;
+
+manage_dirs_pattern(svirt_t, vpp_var_run_t, vpp_var_run_t)
+manage_files_pattern(svirt_t, vpp_var_run_t, vpp_var_run_t)
+manage_sock_files_pattern(svirt_t, vpp_var_run_t, vpp_var_run_t)
+
+allow vpp_t svirt_image_t:file { read write };
+
+
+########################################
+#
+# systemd_sysctl_t local policy for vpp
+#
+
+read_files_pattern(systemd_sysctl_t, vpp_config_rw_t, vpp_config_rw_t)
+
+
diff --git a/extras/vpp_config/data/startup.conf.template b/extras/vpp_config/data/startup.conf.template
index 91b92c62aea..912bbc4b085 100644
--- a/extras/vpp_config/data/startup.conf.template
+++ b/extras/vpp_config/data/startup.conf.template
@@ -1,7 +1,7 @@
 
 unix {{
 {unix}
-  log /tmp/vpp.log
+  log /var/log/vpp/vpp.log
   full-coredump
   cli-listen /run/vpp/cli.sock
 }}
diff --git a/extras/vpp_config/vpplib/AutoConfig.py b/extras/vpp_config/vpplib/AutoConfig.py
index 36b6833e7a9..26603e8e380 100644
--- a/extras/vpp_config/vpplib/AutoConfig.py
+++ b/extras/vpp_config/vpplib/AutoConfig.py
@@ -1637,7 +1637,7 @@ class AutoConfig(object):
             question = "Would you like connect this interface {} to the VM [Y/n]? ".format(name)
             answer = self._ask_user_yn(question, 'y')
             if answer == 'y':
-                sockfilename = '/tmp/sock{}.sock'.format(inum)
+                sockfilename = '/var/run/vpp/sock{}.sock'.format(inum)
                 if os.path.exists(sockfilename):
                     os.remove(sockfilename)
                 cmd = 'vppctl create vhost-user socket {} server'.format(sockfilename)
@@ -1679,7 +1679,7 @@ class AutoConfig(object):
             for intf in ints_with_vints:
                 vhoststr = 'comment { The following command creates the socket }\n'
                 vhoststr += 'comment { and returns a virtual interface }\n'
-                vhoststr += 'comment {{ create vhost-user socket /tmp/sock{}.sock server }}\n'. \
+                vhoststr += 'comment {{ create vhost-user socket /var/run/vpp/sock{}.sock server }}\n'. \
                     format(intf['bridge'])
 
                 setintdnstr = 'set interface state {} down\n'.format(intf['name'])