I have pushed an initial pass at a VPP Custom SELinux Policy to Gerrit for review. Prior to the start this venture, I knew zero about SELinux, so please let me know if you see something you don't like. That being said, the internal Red Hat SELinux team has reviewed and blessed it. If you have any interest, see: https://gerrit.fd.io/r/#/c/10111/
As far as I know, Debian tends not to use SELinux in favor of AppArmor. So the SELinux Policy is currently only implemented for RPM packages, specifically, Fedora, CentOS and RHEL. I have been in touch with Marco regarding Suse and we will follow up with that separately. I used the following document to keep track of notes as I implemented the VPP Custom SELinux Policy: VPP_SELinux_FilesAndLabels <https://docs.google.com/document/d/1OEAodU3lY3z0qLrxOmdvwqdfZCWbzLs-6Z77CeWEHE0/edit?usp=sharing> Primarily, the document lists: * Questions raised during implementation (most of which have been answered) * List of files added to the system by VPP and the SELinux label they were assigned, if any. * List of files remaining on a system once VPP was uninstalled. * Test Cases Below are some questions about file and socket names and directories. Most of these are file names and directories input by the user, so it is a question of how we document it. Some of these only matter if SELinux is enabled, so I don't want to force a change for the non-SELinux users. However, I would like a discussion around the directories files are place in. * Scripts The Wiki (https://wiki.fd.io/view/VPP/Command-line_Interface_(CLI)_ Guide#command_scripts) shows examples of running command scripts out of /tmp (i.e. - vppctl exec /tmp/script). With SELinux enabled, user created scripts out of '/tmp' and '/home/<user>/' will not execute due to permissions. I did all my testing by moving my scripts to '/usr/share/vpp/scripts/'. The other option is to create a '/tmp/vpp/' directory which I can add a rule to label as 'vpp_tmp_t' (which I have not done yet, but can do easily). Any thoughts or preferences? * vHost Sockets There is a lot of discussion online about location and permissions around vhost sockets, primarily with regards to OVS. In server mode (from vSwitch perspective), OVS settled on '/var/run/openvswitch/', and in Client Mode (again from vSwitch perspective), OpenStack wants '/var/lib/vhost_sockets/'. FYI - OVS is deprecating Server mode going forward. The Wiki and CLI Doxygen documentation for VPP show examples of vhost sockets being created in '/tmp/'. I would like to update the documentation to point to '/var/run/vpp/' for vhost sockets. I still have work to do on permissions to get something like '/var/lib/vhost_sockets/' in client mode working properly. Once again, this is purely what the documentation shows, code doesn't care about location if SELinux is disabled. * Log Files: Just curious if there was any reason the default location for the log file was '/tmp/vpp.log' and not something like '/var/log/vpp/vpp.log'? As is, '/tmp/vpp.log' will get labeled with 'vpp_tmp_t' and works fine. However, I also created 'vpp_log_t' along with a '/var/log/vpp/' directory if we want to use it. By moving it, it can get labeled with vpp_var_run_t and the correct permissions for things logrotate are set properly. Thanks, Billy McFall -- *Billy McFall* Networking Group CTO Office *Red Hat*
_______________________________________________ vpp-dev mailing list vpp-dev@lists.fd.io https://lists.fd.io/mailman/listinfo/vpp-dev
