diff options
author | Aaron Conole <aconole@redhat.com> | 2018-02-19 09:55:43 -0500 |
---|---|---|
committer | Ansis Atteka <aatteka@ovn.org> | 2018-02-23 10:13:52 -0800 |
commit | ee1c7296ece67b5b35e528620c645a9c3f2a5c16 (patch) | |
tree | a7358d8582e4a6a91a49d9f72d63d3f1af0359e8 /ofproto | |
parent | ee29e9feb235136f0055c124d87bd9a68bf8e71a (diff) | |
download | openvswitch-ee1c7296ece67b5b35e528620c645a9c3f2a5c16.tar.gz |
selinux: allow dpdkvhostuserclient sockets with newer libvirt
Newer libvirt and openstack versions will now label the unix socket as
an `svirt_tmpfs_t` object. This means that in order to support
deploying with the recommended configuration (using a
dpdkvhostuserclient socket), additional permissions need to be
installed as part of the selinux policy.
An example of some of the AVC violations:
type=AVC msg=audit(1518752799.102:978): avc: denied { write }
for pid=14368 comm="ovs-vswitchd" name="vhost0" dev="dm-0" ino=94
scontext=system_u:system_r:openvswitch_t:s0
tcontext=system_u:object_r:svirt_tmp_t:s0 tclass=sock_file
type=AVC msg=audit(1518816172.126:1318): avc: denied { connectto }
for pid=32717 comm="ovs-vswitchd" path="/tmp/vhost0"
scontext=system_u:system_r:openvswitch_t:s0
tcontext=system_u:system_r:svirt_t:s0:c106,c530
tclass=unix_stream_socket
Signed-off-by: Aaron Conole <aconole@redhat.com>
Acked-by: Ansis Atteka <aatteka@ovn.org>
Diffstat (limited to 'ofproto')
0 files changed, 0 insertions, 0 deletions