This series enables an selinux policy which works with dpdk. The policy was tested on a RHEL7 system with vfio, and vhostuser server sockets, while passing traffic.
The first patch will change the build system so that .in files can support @begin_dpdk@ / @end_dpdk@ blocks. This allows conditionally including code for dpdk in languages without preprocessor directives. The second patch renames the openvswitch-custom.te policy to openvswitch.te.in and inserts a dpdk macro which will be called when dpdk is enabled to give openvswitch access to hugepage information, additional unix socket support, and additional filesystem access. Aaron Conole (2): soexpand: enable dpdk specific blocks selinux: enable dpdk permissions Makefile.am | 6 +++++- build-aux/soexpand.pl | 25 ++++++++++++++++++++++--- selinux/automake.mk | 1 + selinux/openvswitch-custom.te | 16 ---------------- selinux/openvswitch-custom.te.in | 40 ++++++++++++++++++++++++++++++++++++++++ 5 files changed, 68 insertions(+), 20 deletions(-) delete mode 100644 selinux/openvswitch-custom.te create mode 100644 selinux/openvswitch-custom.te.in -- 2.9.3 _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
