Re: [PATCH 1/1] networkmanager: Grant access to unlabeled PKeys

Paul Moore <paul@xxxxxxxxxxxxxx> · Mon, 27 Nov 2017 11:17:38 -0500

On Mon, Nov 27, 2017 at 9:03 AM, Dan Jurgens <danielj@xxxxxxxxxxxx> wrote:
> From: Daniel Jurgens <danielj@xxxxxxxxxxxx>
>
> For controlling IPoIB VLANs
>
> Reported-by: Honggang LI <honli@xxxxxxxxxx>
> Signed-off-by: Daniel Jurgens <danielj@xxxxxxxxxxxx>
> Tested-by: Honggang LI <honli@xxxxxxxxxx>
> ---
>  networkmanager.te |    2 ++
>  1 files changed, 2 insertions(+), 0 deletions(-)

We obviously need something like this now so we don't break IPoIB, but
I wonder if we should make the IB access controls dynamic like the
per-packet network access controls.  We could key off the presence of
the IB pkey and endport definitions: if there are any objects defined
in the loaded policy we enable the controls, otherwise we disable
them.

> diff --git a/networkmanager.te b/networkmanager.te
> index 76d0106..5e881f4 100644
> --- a/networkmanager.te
> +++ b/networkmanager.te
> @@ -184,6 +184,8 @@ userdom_write_user_tmp_sockets(NetworkManager_t)
>  userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
>  userdom_dontaudit_use_user_ttys(NetworkManager_t)
>
> +corenet_ib_access_unlabeled_pkeys(NetworkManager_t)
> +
>  optional_policy(`
>         avahi_domtrans(NetworkManager_t)
>         avahi_kill(NetworkManager_t)
> --
> 1.7.1

-- 
paul moore
www.paul-moore.com