selinux: allow dpdkvhostuserclient sockets with newer libvirt
Newer libvirt and openstack versions will now label the unix socket as
an `svirt_tmpfs_t` object. This means that in order to support
deploying with the recommended configuration (using a
dpdkvhostuserclient socket), additional permissions need to be
installed as part of the selinux policy.
An example of some of the AVC violations:
type=AVC msg=audit(
1518752799.102:978): avc: denied { write }
for pid=14368 comm="ovs-vswitchd" name="vhost0" dev="dm-0" ino=94
scontext=system_u:system_r:openvswitch_t:s0
tcontext=system_u:object_r:svirt_tmp_t:s0 tclass=sock_file
type=AVC msg=audit(
1518816172.126:1318): avc: denied { connectto }
for pid=32717 comm="ovs-vswitchd" path="/tmp/vhost0"
scontext=system_u:system_r:openvswitch_t:s0
tcontext=system_u:system_r:svirt_t:s0:c106,c530
tclass=unix_stream_socket
Signed-off-by: Aaron Conole <aconole@redhat.com>
Acked-by: Ansis Atteka <aatteka@ovn.org>
projects / ovs.git / commit