aboutsummaryrefslogtreecommitdiffstats
path: root/extras/selinux/vpp-custom.te
blob: 4dbc2d6de2cc48e56342374783578b07f0fa1b8c (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
policy_module(vpp-custom,1.0)

########################################
#
# Declarations
#

gen_require(`
    type hugetlbfs_t;
    type svirt_t;
    type svirt_image_t;
    type systemd_sysctl_t;
    class capability sys_admin;
')

type vpp_t;
type vpp_exec_t;
init_daemon_domain(vpp_t, vpp_exec_t)

type vpp_config_rw_t;
files_config_file(vpp_config_rw_t)

type vpp_lib_t; # if there is vpp_var_lib_t, we don't need vpp_lib_t
files_type(vpp_lib_t)

type vpp_log_t;
logging_log_file(vpp_log_t)

type vpp_var_run_t;
files_type(vpp_var_run_t)

type vpp_unit_file_t;
systemd_unit_file(vpp_unit_file_t)

type vpp_tmpfs_t;
files_tmpfs_file(vpp_tmpfs_t)

type vpp_tmp_t;
files_tmp_file(vpp_tmp_t)

########################################
#
# vpp local policy
#

allow vpp_t self:capability { dac_override ipc_lock setgid sys_rawio net_raw sys_admin net_admin chown }; # too benevolent
dontaudit vpp_t self:capability2 block_suspend;
allow vpp_t self:process { execmem execstack setsched signal }; # too benevolent
allow vpp_t self:packet_socket { bind create setopt ioctl };
allow vpp_t self:tun_socket { create relabelto relabelfrom };
allow vpp_t self:udp_socket { create ioctl };
allow vpp_t self:unix_dgram_socket { connect create ioctl };
allow vpp_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow vpp_t self:netlink_route_socket { bind create nlmsg_write read write getattr setopt };
allow vpp_t self:netlink_socket { bind create setopt };

manage_dirs_pattern(vpp_t, vpp_lib_t, vpp_lib_t)
manage_files_pattern(vpp_t, vpp_lib_t, vpp_lib_t)
allow vpp_t vpp_lib_t:file execute;
files_var_lib_filetrans(vpp_t, vpp_lib_t, {file dir})

manage_dirs_pattern(vpp_t, vpp_log_t, vpp_log_t)
manage_files_pattern(vpp_t, vpp_log_t, vpp_log_t)
logging_log_filetrans(vpp_t, vpp_log_t, {file dir})

manage_dirs_pattern(vpp_t, vpp_var_run_t, vpp_var_run_t)
manage_files_pattern(vpp_t, vpp_var_run_t, vpp_var_run_t)
manage_sock_files_pattern(vpp_t, vpp_var_run_t, vpp_var_run_t)
allow vpp_t vpp_var_run_t:dir mounton;
files_pid_filetrans(vpp_t, vpp_var_run_t, { dir sock_file file })

manage_dirs_pattern(vpp_t, vpp_tmp_t, vpp_tmp_t)
manage_files_pattern(vpp_t, vpp_tmp_t, vpp_tmp_t)
manage_sock_files_pattern(vpp_t, vpp_tmp_t, vpp_tmp_t)
allow vpp_t vpp_tmp_t:dir mounton;
files_tmp_filetrans(vpp_t, vpp_tmp_t, { dir sock_file file })

manage_dirs_pattern(vpp_t, vpp_tmpfs_t, vpp_tmpfs_t)
manage_files_pattern(vpp_t, vpp_tmpfs_t, vpp_tmpfs_t)
fs_tmpfs_filetrans(vpp_t, vpp_tmpfs_t, { dir file })

read_files_pattern(vpp_t, vpp_config_rw_t, vpp_config_rw_t)

kernel_read_system_state(vpp_t)
kernel_read_network_state(vpp_t)
kernel_dgram_send(vpp_t)
kernel_request_load_module(vpp_t)

auth_read_passwd(vpp_t)

corenet_rw_tun_tap_dev(vpp_t)

dev_rw_infiniband_dev(vpp_t)
dev_rw_userio_dev(vpp_t)
dev_rw_sysfs(vpp_t)
dev_read_cpuid(vpp_t)
dev_rw_vfio_dev(vpp_t)
dev_rw_vhost( vpp_t )

domain_obj_id_change_exemption(vpp_t)

fs_manage_hugetlbfs_dirs(vpp_t)
fs_manage_hugetlbfs_files(vpp_t)
allow vpp_t hugetlbfs_t:filesystem { getattr mount unmount };
fs_getattr_tmpfs(vpp_t)

logging_send_syslog_msg(vpp_t)

miscfiles_read_generic_certs(vpp_t)

userdom_list_user_home_content(vpp_t)

optional_policy(`
    virt_stream_connect_svirt(vpp_t)
')

optional_policy(`
    unconfined_attach_tun_iface(vpp_t)
')


########################################
#
# svirt local policy for vpp
#

allow svirt_t vpp_t:unix_stream_socket connectto;

manage_dirs_pattern(svirt_t, vpp_var_run_t, vpp_var_run_t)
manage_files_pattern(svirt_t, vpp_var_run_t, vpp_var_run_t)
manage_sock_files_pattern(svirt_t, vpp_var_run_t, vpp_var_run_t)

allow vpp_t svirt_image_t:file { read write };


########################################
#
# systemd_sysctl_t local policy for vpp
#

read_files_pattern(systemd_sysctl_t, vpp_config_rw_t, vpp_config_rw_t)