summaryrefslogtreecommitdiffstats
path: root/extras/selinux/vpp-custom.te
AgeCommit message (Collapse)AuthorFilesLines
2023-03-06misc: define SElinux mapped file permissionsChristian Svensson1-1/+16
SElinux added support for defining what files can be mmap()'d a while back. This change defines those files that VPP maps. This is needed for EL9 support Type: fix Signed-off-by: Christian Svensson <blue@cmd.nu> Change-Id: Iedd26914e29347169c4cc138628df7823ddd5691
2020-09-11misc: selinux fixes (packet_socket r/w)Martin Millnert1-1/+1
vpp-20.05 on up-to-date Centos 7.8 host with enforcing SELinux fails to create a host-interface due to two missing SELinux-permissions: vpp_t self:packet_socket { read write } This simple patch adds these two permissions. Tested successfully on local installation. The steps to reproduce: $ ip link add vpeer-host type veth peer name vpeer-vpp vpp# create host-interface name vpeer-vpp create host-interface: Permission denied (errno 13) [...] $ semodule -i vpp-packet-socket.pp vpp# create host-interface name vpeer-vpp host-vpeer-vpp Type: fix Ticket: VPP-1931 Change-Id: I2b3d92b27b9a9f26aa1c85af2946b15e83e27944 Signed-off-by: Martin Millnert <martin@millnert.se>
2019-05-31VPP-1640 - Missing rules in vpp-selinux-policyBilly McFall1-1/+2
SELinux exceptions occurring for host interfaces and with the vmxnet3 driver. Change-Id: Ia22bd82572acfa07ae287a755830abe1413f9939 Signed-off-by: Billy McFall <bmcfall@redhat.com>
2019-05-31VPP-1679 - SElinux rules are not set accordinglyBilly McFall1-2/+4
Updates to the VPP SELinux policy to support the MLX5 DPDK driver. Change-Id: I089ede88a5e9c4152178f8cf9be5ee14d8a9130f Signed-off-by: Billy McFall <bmcfall@redhat.com>
2018-03-14VPP-1197: SELinux: 'create tap' (vhost-net backend TAP) fails whenBilly McFall1-0/+2
SELinux is enable Update the SELinux Policy to allow management of the new vhost-net backend TAP interface. Change-Id: I2d0633a7fce2ee2a4d6e0008ab13599647c14f42 Signed-off-by: Billy McFall <bmcfall@redhat.com>
2018-02-28Fix SELinux capabilities. Creating a tap interface with 'tap connect' was ↵Victor Nguyen -T (victong2 - OTHERWISE PORTAGE at Cisco)1-2/+2
returning an error when VPP was launched as a service (tested on CentOS 7.3). Adding 'net_admin' to SELinux capabilities for VPP solves the issue. Change-Id: Icd0529b49adb86e7b371283a6f39af03816951c5 Signed-off-by: Victor Nguyen <victong2@cisco.com>
2018-01-30VPP-899: Run VPP under SELinuxBilly McFall1-0/+139
Add an SELinux profile such that VPP can run under SELinux on RPM based platforms. The SELinux Policy is currently only implemented for RPM packages, specifically, Fedora, CentOS and RHEL. Doxygen User Documentation has been included (selinux_doc.md). Once some discussion on file locations has completed (see vpp-devlist), updates to the Debug CLI documentation will also need to be updated. Additional changes: Patch Set 2: - Rework selinux_doc.md such that each line is only 80 characters instead of each sentence on a line. Made additonal minor chnages to the text. - Update vHost Debug CLI documentation to reflex new socket location. Cleaned up some text from when I originally wrote it, to better reflex proper use. - Update exec Debug CLI documentation to be more inline with suggested helptext, added text regarding recommended script file location. - For Debian builds, create the /var/log/vpp/ directory. I don't use Debian very much, so please pay extra attention to build-data/platforms.mk and build-root/deb/debian/.gitignore. - Per discussion on VPP call, changed the default log location to /var/log/vpp/vpp.log. - Changed the socket location for vHost in AutoConfig to /var/run/vpp/. Patch Set 3: - Update selinux_doc.md based on comments. Change-Id: I400520dc33f1ca51012d09ef8fe5a7b7b96c631e Signed-off-by: Billy McFall <bmcfall@redhat.com>