On 19 February 2018 at 06:55, Aaron Conole <acon...@redhat.com> wrote:
> Newer libvirt and openstack versions will now label the unix socket as
> an `svirt_tmpfs_t` object. This means that in order to support
> deploying with the recommended configuration (using a
> dpdkvhostuserclient socket), additional permissions need to be
> installed as part of the selinux policy.
>
> An example of some of the AVC violations:
>
> type=AVC msg=audit(1518752799.102:978): avc: denied { write }
> for pid=14368 comm="ovs-vswitchd" name="vhost0" dev="dm-0" ino=94
> scontext=system_u:system_r:openvswitch_t:s0
> tcontext=system_u:object_r:svirt_tmp_t:s0 tclass=sock_file
>
> type=AVC msg=audit(1518816172.126:1318): avc: denied { connectto }
> for pid=32717 comm="ovs-vswitchd" path="/tmp/vhost0"
> scontext=system_u:system_r:openvswitch_t:s0
> tcontext=system_u:system_r:svirt_t:s0:c106,c530
> tclass=unix_stream_socket
>
> Signed-off-by: Aaron Conole <acon...@redhat.com>
Acked-By: Ansis Atteka <aatt...@ovn.org>
Thanks for the patch. Will push to master,
_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
