On Wed, 2018-04-11 at 09:54 -0400, Aaron Conole wrote:
> Tiago Lam <tiago....@intel.com> writes:
> > When explaining on how to add vhost-user ports to a guest, using
> > libvirt, the following piece of configuration is used:
> > <disk type='dir' device='disk'>
> > <driver name='qemu' type='fat'/>
> > <source dir='/usr/src/dpdk-stable-17.11.1'/>
> > <target dev='vdb' bus='virtio'/>
> > <readonly/>
> > </disk>
> > This is used to facilitate sharing of a DPDK directory between the host
> > and the guest. However, for this to work selinux also needs to be
> > configured (or disabled). Furthermore, if one is using Ubuntu, libvirtd
> > would need to be added to complain only in AppArmor. Instead, in  it
> > is advised to use wget to get the DPDK sources over the internet, which
> > avoids this differentiation. Thus, we drop this piece of configuration
> > here as well and keep the example configuration as simple as possible.
> > This has been verified on both a Fedora 27 image and a Ubuntu 16.04 LTS
> > image.
> > 
> > http://docs.openvswitch.org/en/latest/topics/dpdk/vhost-user/#dpdk-in-the-guest
> > Signed-off-by: Tiago Lam <tiago....@intel.com>
> > ---
> > CC'ed Stephen,
> > I took the liberty of removing your TODO from here, as I read it to be
> > related
> > to the (now removed) SELinux instruction below. If you think it should
> > still be
> > there let me know and I'll gladly send a v2.
> I think it should remain until the selinux issues have been addressed.
> Is there a list somewhere of the AVC denials? Maybe it makes sense to
> allow them.
If I'm reading this correctly, Tiago is saying these exceptions only
happen because we're sharing an arbitrary directory with the guest to
avoid downloading the DPDK sources twice. Given that there's a valid
workaround (just fetching sources twice), simply removing that section
of the XML removes the need to disable SELinux. If so, dropping the
warning does make sense in my mind.
dev mailing list