On 19 February 2018 at 06:55, Aaron Conole <acon...@redhat.com> wrote: > Newer libvirt and openstack versions will now label the unix socket as > an `svirt_tmpfs_t` object. This means that in order to support > deploying with the recommended configuration (using a > dpdkvhostuserclient socket), additional permissions need to be > installed as part of the selinux policy. > > An example of some of the AVC violations: > > type=AVC msg=audit(1518752799.102:978): avc: denied { write } > for pid=14368 comm="ovs-vswitchd" name="vhost0" dev="dm-0" ino=94 > scontext=system_u:system_r:openvswitch_t:s0 > tcontext=system_u:object_r:svirt_tmp_t:s0 tclass=sock_file > > type=AVC msg=audit(1518816172.126:1318): avc: denied { connectto } > for pid=32717 comm="ovs-vswitchd" path="/tmp/vhost0" > scontext=system_u:system_r:openvswitch_t:s0 > tcontext=system_u:system_r:svirt_t:s0:c106,c530 > tclass=unix_stream_socket > > Signed-off-by: Aaron Conole <acon...@redhat.com>
Acked-By: Ansis Atteka <aatt...@ovn.org> Thanks for the patch. Will push to master, _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev