Gitiles
Code Review Sign In
gerrit.nordix.org / fdio / vpp / 9bff049b84c15813dcd70c03895bc627444778bf / . / extras / selinux / vpp-custom.te
blob: 27abbf92f854f0b4678976a9bff56ceced17735d [file] [log] [blame]
Billy McFall28cf3b72018-01-15 17:54:52 -0500[diff] [blame]1policy_module(vpp-custom,1.0)
2
3########################################
4#
5# Declarations
6#
7
8gen_require(`
9 type hugetlbfs_t;
10 type svirt_t;
11 type svirt_image_t;
12 type systemd_sysctl_t;
Christian Svensson79687d92023-02-06 17:24:26 +0100[diff] [blame]13 type hugetlbfs_t;
14 type sysfs_t;
Billy McFall28cf3b72018-01-15 17:54:52 -0500[diff] [blame]15 class capability sys_admin;
16')
17
18type vpp_t;
19type vpp_exec_t;
20init_daemon_domain(vpp_t, vpp_exec_t)
21
22type vpp_config_rw_t;
23files_config_file(vpp_config_rw_t)
24
25type vpp_lib_t; # if there is vpp_var_lib_t, we don't need vpp_lib_t
26files_type(vpp_lib_t)
27
28type vpp_log_t;
29logging_log_file(vpp_log_t)
30
31type vpp_var_run_t;
32files_type(vpp_var_run_t)
33
34type vpp_unit_file_t;
35systemd_unit_file(vpp_unit_file_t)
36
37type vpp_tmpfs_t;
38files_tmpfs_file(vpp_tmpfs_t)
39
40type vpp_tmp_t;
41files_tmp_file(vpp_tmp_t)
42
43########################################
44#
45# vpp local policy
46#
47
Billy McFall5b826102019-05-16 15:58:58 -0400[diff] [blame]48allow vpp_t self:capability { dac_override ipc_lock setgid sys_rawio net_raw sys_admin net_admin chown }; # too benevolent
Billy McFall28cf3b72018-01-15 17:54:52 -0500[diff] [blame]49dontaudit vpp_t self:capability2 block_suspend;
Victor Nguyen -T (victong2 - OTHERWISE PORTAGE at Cisco)3f8562e2018-02-27 18:20:03 +0100[diff] [blame]50allow vpp_t self:process { execmem execstack setsched signal }; # too benevolent
Martin Millnert68849352020-09-11 01:02:26 +0200[diff] [blame]51allow vpp_t self:packet_socket { bind create setopt ioctl map read write };
Billy McFall28cf3b72018-01-15 17:54:52 -0500[diff] [blame]52allow vpp_t self:tun_socket { create relabelto relabelfrom };
53allow vpp_t self:udp_socket { create ioctl };
54allow vpp_t self:unix_dgram_socket { connect create ioctl };
55allow vpp_t self:unix_stream_socket { create_stream_socket_perms connectto };
Billy McFall5b826102019-05-16 15:58:58 -0400[diff] [blame]56allow vpp_t self:netlink_route_socket { bind create nlmsg_write read write getattr setopt };
57allow vpp_t self:netlink_socket { bind create setopt };
Billy McFall28cf3b72018-01-15 17:54:52 -0500[diff] [blame]58
59manage_dirs_pattern(vpp_t, vpp_lib_t, vpp_lib_t)
60manage_files_pattern(vpp_t, vpp_lib_t, vpp_lib_t)
Christian Svensson79687d92023-02-06 17:24:26 +0100[diff] [blame]61allow vpp_t vpp_lib_t:file { execute map };
Billy McFall28cf3b72018-01-15 17:54:52 -0500[diff] [blame]62files_var_lib_filetrans(vpp_t, vpp_lib_t, {file dir})
63
64manage_dirs_pattern(vpp_t, vpp_log_t, vpp_log_t)
65manage_files_pattern(vpp_t, vpp_log_t, vpp_log_t)
66logging_log_filetrans(vpp_t, vpp_log_t, {file dir})
67
68manage_dirs_pattern(vpp_t, vpp_var_run_t, vpp_var_run_t)
69manage_files_pattern(vpp_t, vpp_var_run_t, vpp_var_run_t)
70manage_sock_files_pattern(vpp_t, vpp_var_run_t, vpp_var_run_t)
71allow vpp_t vpp_var_run_t:dir mounton;
72files_pid_filetrans(vpp_t, vpp_var_run_t, { dir sock_file file })
73
74manage_dirs_pattern(vpp_t, vpp_tmp_t, vpp_tmp_t)
75manage_files_pattern(vpp_t, vpp_tmp_t, vpp_tmp_t)
76manage_sock_files_pattern(vpp_t, vpp_tmp_t, vpp_tmp_t)
77allow vpp_t vpp_tmp_t:dir mounton;
78files_tmp_filetrans(vpp_t, vpp_tmp_t, { dir sock_file file })
79
80manage_dirs_pattern(vpp_t, vpp_tmpfs_t, vpp_tmpfs_t)
81manage_files_pattern(vpp_t, vpp_tmpfs_t, vpp_tmpfs_t)
Christian Svensson79687d92023-02-06 17:24:26 +0100[diff] [blame]82allow vpp_t vpp_tmpfs_t:file map;
Billy McFall28cf3b72018-01-15 17:54:52 -0500[diff] [blame]83fs_tmpfs_filetrans(vpp_t, vpp_tmpfs_t, { dir file })
84
85read_files_pattern(vpp_t, vpp_config_rw_t, vpp_config_rw_t)
86
87kernel_read_system_state(vpp_t)
88kernel_read_network_state(vpp_t)
89kernel_dgram_send(vpp_t)
90kernel_request_load_module(vpp_t)
91
92auth_read_passwd(vpp_t)
93
94corenet_rw_tun_tap_dev(vpp_t)
95
Billy McFall5b826102019-05-16 15:58:58 -0400[diff] [blame]96dev_rw_infiniband_dev(vpp_t)
Billy McFall28cf3b72018-01-15 17:54:52 -0500[diff] [blame]97dev_rw_userio_dev(vpp_t)
98dev_rw_sysfs(vpp_t)
99dev_read_cpuid(vpp_t)
100dev_rw_vfio_dev(vpp_t)
Billy McFall1ac36d72018-03-14 09:34:02 -0400[diff] [blame]101dev_rw_vhost( vpp_t )
Billy McFall41decea2019-05-16 09:13:50 -0400[diff] [blame]102dev_rw_generic_chr_files(vpp_t)
Billy McFall28cf3b72018-01-15 17:54:52 -0500[diff] [blame]103
104domain_obj_id_change_exemption(vpp_t)
105
106fs_manage_hugetlbfs_dirs(vpp_t)
107fs_manage_hugetlbfs_files(vpp_t)
108allow vpp_t hugetlbfs_t:filesystem { getattr mount unmount };
109fs_getattr_tmpfs(vpp_t)
110
111logging_send_syslog_msg(vpp_t)
112
113miscfiles_read_generic_certs(vpp_t)
114
115userdom_list_user_home_content(vpp_t)
116
117optional_policy(`
118 virt_stream_connect_svirt(vpp_t)
119')
120
121optional_policy(`
122 unconfined_attach_tun_iface(vpp_t)
123')
124
125
126########################################
127#
128# svirt local policy for vpp
129#
130
131allow svirt_t vpp_t:unix_stream_socket connectto;
132
133manage_dirs_pattern(svirt_t, vpp_var_run_t, vpp_var_run_t)
134manage_files_pattern(svirt_t, vpp_var_run_t, vpp_var_run_t)
135manage_sock_files_pattern(svirt_t, vpp_var_run_t, vpp_var_run_t)
136
137allow vpp_t svirt_image_t:file { read write };
138
139
140########################################
141#
142# systemd_sysctl_t local policy for vpp
143#
144
145read_files_pattern(systemd_sysctl_t, vpp_config_rw_t, vpp_config_rw_t)
146
Christian Svensson79687d92023-02-06 17:24:26 +0100[diff] [blame]147########################################
148#
149# hugetlbfs
150#
Billy McFall28cf3b72018-01-15 17:54:52 -0500[diff] [blame]151
Christian Svensson79687d92023-02-06 17:24:26 +0100[diff] [blame]152allow vpp_t hugetlbfs_t:file map;
153
154########################################
155#
156# dpdk
157#
158
159allow vpp_t sysfs_t:file map;