Stephen Finucane <step...@that.guru> writes: > On Wed, 2018-04-11 at 09:54 -0400, Aaron Conole wrote: >> Tiago Lam <tiago....@intel.com> writes: >> >> > When explaining on how to add vhost-user ports to a guest, using >> > libvirt, the following piece of configuration is used: >> > <disk type='dir' device='disk'> >> > <driver name='qemu' type='fat'/> >> > <source dir='/usr/src/dpdk-stable-17.11.1'/> >> > <target dev='vdb' bus='virtio'/> >> > <readonly/> >> > </disk> >> > >> > This is used to facilitate sharing of a DPDK directory between the host >> > and the guest. However, for this to work selinux also needs to be >> > configured (or disabled). Furthermore, if one is using Ubuntu, libvirtd >> > would need to be added to complain only in AppArmor. Instead, in [1] it >> > is advised to use wget to get the DPDK sources over the internet, which >> > avoids this differentiation. Thus, we drop this piece of configuration >> > here as well and keep the example configuration as simple as possible. >> > >> > This has been verified on both a Fedora 27 image and a Ubuntu 16.04 LTS >> > image. >> > >> > [1] >> > http://docs.openvswitch.org/en/latest/topics/dpdk/vhost-user/#dpdk-in-the-guest >> > >> > Signed-off-by: Tiago Lam <tiago....@intel.com> >> > --- >> > >> > CC'ed Stephen, >> > >> > I took the liberty of removing your TODO from here, as I read it to be >> > related >> > to the (now removed) SELinux instruction below. If you think it should >> > still be >> > there let me know and I'll gladly send a v2. >> >> I think it should remain until the selinux issues have been addressed. >> >> Is there a list somewhere of the AVC denials? Maybe it makes sense to >> allow them. > > If I'm reading this correctly, Tiago is saying these exceptions only > happen because we're sharing an arbitrary directory with the guest to > avoid downloading the DPDK sources twice.
Okay, I guess I read the change in the section a bit differently. If you think it's okay, then I'm fine (I'm always happy to see a 'setenforce 0' disappear). > Given that there's a valid > workaround (just fetching sources twice), simply removing that section > of the XML removes the need to disable SELinux. If so, dropping the > warning does make sense in my mind. > > Stephen _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
