On Mon, Nov 27, 2017 at 3:04 PM, Daniel Jurgens <danielj@xxxxxxxxxxxx> wrote: > On 11/27/2017 10:19 AM, Paul Moore wrote: >> On Mon, Nov 27, 2017 at 9:03 AM, Dan Jurgens <danielj@xxxxxxxxxxxx> wrote: >>> From: Daniel Jurgens <danielj@xxxxxxxxxxxx> >>> >>> For controlling IPoIB VLANs >>> >>> Reported-by: Honggang LI <honli@xxxxxxxxxx> >>> Signed-off-by: Daniel Jurgens <danielj@xxxxxxxxxxxx> >>> Tested-by: Honggang LI <honli@xxxxxxxxxx> >>> --- >>> networkmanager.te | 2 ++ >>> 1 files changed, 2 insertions(+), 0 deletions(-) >> [NOTE: resending due to a typo in the refpol mailing list address] >> >> We obviously need something like this now so we don't break IPoIB, but >> I wonder if we should make the IB access controls dynamic like the >> per-packet network access controls. We could key off the presence of >> the IB pkey and endport definitions: if there are any objects defined >> in the loaded policy we enable the controls, otherwise we disable >> them. > > I think I understand what you're saying Paul, but I'm not clear on the mechanism. Are you referring to the netlabel/IPSEC enable checks? They are wrapped up in selinux_peerlbl_enabled. Basically, yes. We could add a new variable/function that gates the access control checks in selinux_ib_pkey_access() and selinux_ib_endport_manage_subnet(); the checks would be enabled when there was Infiniband configuration loaded with the policy. Without the IB config loaded, all the checks would end up being just a domain check against unlabeled_t, which isn't very interesting, so we would just drop the checks. -- paul moore www.paul-moore.com
