$ vppctl create tap id 1
 create tap: open '/dev/vhost-net': Permission denied

Mar 12 16:19:53 wdm-vpp1-centos-7-4 setroubleshoot: SELinux is preventing /usr/bin/vpp from 'read, write' accesses on the chr_file vhost-net. For complete SELinux messages run: sealert -l 514103d8-17ea-4eb9-aa6f-046cf4bd1b5b
Mar 12 16:19:53 wdm-vpp1-centos-7-4 python: SELinux is preventing /usr/bin/vpp from 'read, write' accesses on the chr_file vhost-net.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that vpp should be allowed read write access on the vhost-net chr_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'vpp_main' --raw | audit2allow -M my-vppmain#012# semodule -i my-vppmain.pp#012
Mar 12 16:19:53 wdm-vpp1-centos-7-4 setroubleshoot: SELinux is preventing /usr/bin/vpp from 'read, write' accesses on the chr_file vhost-net. For complete SELinux messages run: sealert -l 514103d8-17ea-4eb9-aa6f-046cf4bd1b5b
Mar 12 16:19:53 wdm-vpp1-centos-7-4 python: SELinux is preventing /usr/bin/vpp from 'read, write' accesses on the chr_file vhost-net.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that vpp should be allowed read write access on the vhost-net chr_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'vpp_main' --raw | audit2allow -M my-vppmain#012# semodule -i my-vppmain.pp#012
Mar 12 16:19:53 wdm-vpp1-centos-7-4 setroubleshoot: failed to retrieve rpm info for /dev/vhost-net
Mar 12 16:19:53 wdm-vpp1-centos-7-4 setroubleshoot: SELinux is preventing /usr/bin/vpp from ioctl access on the chr_file /dev/vhost-net. For complete SELinux messages run: sealert -l 8bfe2306-a53d-4a4c-9c92-ae8dd99928aa
Mar 12 16:19:53 wdm-vpp1-centos-7-4 python: SELinux is preventing /usr/bin/vpp from ioctl access on the chr_file /dev/vhost-net.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that vpp should be allowed ioctl access on the vhost-net chr_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'vpp_main' --raw | audit2allow -M my-vppmain#012# semodule -i my-vppmain.pp#012
Mar 12 16:19:56 wdm-vpp1-centos-7-4 setroubleshoot: SELinux is preventing vpp_main from create access on the netlink_route_socket Unknown. For complete SELinux messages run: sealert -l 5d841112-9e10-4ee3-a6a1-729eaeae2292
Mar 12 16:19:56 wdm-vpp1-centos-7-4 python: SELinux is preventing vpp_main from create access on the netlink_route_socket Unknown.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that vpp_main should be allowed create access on the Unknown netlink_route_socket by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'vpp_main' --raw | audit2allow -M my-vppmain#012# semodule -i my-vppmain.pp#012

$ sudo ausearch -c 'vpp_main' --raw | audit2allow -M my-vppmain
$ cat my-vppmain.te

module my-vppmain 1.0;

require {
        type vhost_device_t;
        type vpp_t;
        class netlink_route_socket { bind create nlmsg_write };
        class chr_file { ioctl open read write };
}

#============= vpp_t ==============
allow vpp_t self:netlink_route_socket { bind create nlmsg_write };
allow vpp_t vhost_device_t:chr_file { ioctl open read write };