11 Commits

Author SHA1 Message Date
Christian Svensson
79687d92fe misc: define SElinux mapped file permissions
SElinux added support for defining what files can be mmap()'d a while back.
This change defines those files that VPP maps.

This is needed for EL9 support

Type: fix

Signed-off-by: Christian Svensson <blue@cmd.nu>
Change-Id: Iedd26914e29347169c4cc138628df7823ddd5691
2023-03-06 14:22:36 +00:00
Nathan Skrzypczak
a2c9509a4a docs: convert extras doc md->rst
Type: improvement

Change-Id: Ie3b25a86b99098d2b3a21a11fc73234c8ed589d6
Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
2021-10-13 15:32:22 +00:00
Martin Millnert
68849350c5 misc: selinux fixes (packet_socket r/w)
vpp-20.05 on up-to-date Centos 7.8 host with enforcing SELinux fails to
create a host-interface due to two missing SELinux-permissions:

vpp_t self:packet_socket { read write }

This simple patch adds these two permissions. Tested successfully on
local installation.

The steps to reproduce:

$ ip link add vpeer-host type veth peer name vpeer-vpp
vpp# create host-interface name vpeer-vpp
create host-interface: Permission denied (errno 13)
[...]
$ semodule -i vpp-packet-socket.pp
vpp# create host-interface name vpeer-vpp
host-vpeer-vpp

Type: fix
Ticket: VPP-1931
Change-Id: I2b3d92b27b9a9f26aa1c85af2946b15e83e27944
Signed-off-by: Martin Millnert <martin@millnert.se>
2020-09-11 01:25:08 +02:00
Damjan Marion
5505ee8904 misc: deprecate elftool
Type: make

Change-Id: I34fec1c40ef660177c266517eaf41d60827609f4
Signed-off-by: Damjan Marion <damarion@cisco.com>
2020-05-07 16:47:33 +00:00
Billy McFall
41deceaf25 VPP-1640 - Missing rules in vpp-selinux-policy
SELinux exceptions occurring for host interfaces and with the
vmxnet3 driver.

Change-Id: Ia22bd82572acfa07ae287a755830abe1413f9939
Signed-off-by: Billy McFall <bmcfall@redhat.com>
2019-05-31 11:43:41 +00:00
Billy McFall
5b82610cfa VPP-1679 - SElinux rules are not set accordingly
Updates to the VPP SELinux policy to support the MLX5 DPDK driver.

Change-Id: I089ede88a5e9c4152178f8cf9be5ee14d8a9130f
Signed-off-by: Billy McFall <bmcfall@redhat.com>
2019-05-31 11:43:26 +00:00
Billy McFall
7e5742f6d6 VPP-1640 - Missing rules in vpp-selinux-policy
Add additional section to the SELinux documentation to describe how to
collect debug information when SELinux issues are encountered. This is
purely a documentation change.

Note: Merged seperate from SELinux Policy change in case policy change
needs to be cherry-picked to older releases.

Change-Id: I7ba3d3c7d84171b503d956eb01e13a680b4d53fc
Signed-off-by: Billy McFall <bmcfall@redhat.com>
2019-05-31 11:42:58 +00:00
Michal Cmarada
4e633e1043 VPP-1504: Remove JVPP
As part of JVPP migration this removes JVPP completely from VPP.

Change-Id: I6b74e7961aa474ae471e63fe43a624cd9fc3659b
Signed-off-by: Michal Cmarada <mcmarada@cisco.com>
2019-02-19 15:14:02 +00:00
Billy McFall
1ac36d7421 VPP-1197: SELinux: 'create tap' (vhost-net backend TAP) fails when
SELinux is enable

Update the SELinux Policy to allow management of the new vhost-net
backend TAP interface.

Change-Id: I2d0633a7fce2ee2a4d6e0008ab13599647c14f42
Signed-off-by: Billy McFall <bmcfall@redhat.com>
2018-03-14 18:43:39 +00:00
Victor Nguyen -T (victong2 - OTHERWISE PORTAGE at Cisco)
3f8562eaab Fix SELinux capabilities. Creating a tap interface with 'tap connect' was returning an error when VPP was launched as a service (tested on CentOS 7.3). Adding 'net_admin' to SELinux capabilities for VPP solves the issue.
Change-Id: Icd0529b49adb86e7b371283a6f39af03816951c5
Signed-off-by: Victor Nguyen <victong2@cisco.com>
2018-02-28 14:35:30 +00:00
Billy McFall
28cf3b7da2 VPP-899: Run VPP under SELinux
Add an SELinux profile such that VPP can run under SELinux on RPM based
platforms. The SELinux Policy is currently only implemented for RPM
packages, specifically, Fedora, CentOS and RHEL. Doxygen User
Documentation has been included (selinux_doc.md). Once some discussion
on file locations has completed (see vpp-devlist), updates to the Debug
CLI documentation will also need to be updated.

Additional changes:
Patch Set 2:
- Rework selinux_doc.md such that each line is only 80 characters
  instead of each sentence on a line. Made additonal minor chnages
  to the text.
- Update vHost Debug CLI documentation to reflex new socket location.
  Cleaned up some text from when I originally wrote it, to better
  reflex proper use.
- Update exec Debug CLI documentation to be more inline with suggested
  helptext, added text regarding recommended script file location.
- For Debian builds, create the /var/log/vpp/ directory. I don't use
  Debian very much, so please pay extra attention to
  build-data/platforms.mk and build-root/deb/debian/.gitignore.
- Per discussion on VPP call, changed the default log location to
  /var/log/vpp/vpp.log.
- Changed the socket location for vHost in AutoConfig to
  /var/run/vpp/.
Patch Set 3:
- Update selinux_doc.md based on comments.

Change-Id: I400520dc33f1ca51012d09ef8fe5a7b7b96c631e
Signed-off-by: Billy McFall <bmcfall@redhat.com>
2018-01-30 13:26:20 +00:00