On 11/27/2017 10:19 AM, Paul Moore wrote: > On Mon, Nov 27, 2017 at 9:03 AM, Dan Jurgens <danielj@xxxxxxxxxxxx> wrote: >> From: Daniel Jurgens <danielj@xxxxxxxxxxxx> >> >> For controlling IPoIB VLANs >> >> Reported-by: Honggang LI <honli@xxxxxxxxxx> >> Signed-off-by: Daniel Jurgens <danielj@xxxxxxxxxxxx> >> Tested-by: Honggang LI <honli@xxxxxxxxxx> >> --- >> networkmanager.te | 2 ++ >> 1 files changed, 2 insertions(+), 0 deletions(-) > [NOTE: resending due to a typo in the refpol mailing list address] > > We obviously need something like this now so we don't break IPoIB, but > I wonder if we should make the IB access controls dynamic like the > per-packet network access controls. We could key off the presence of > the IB pkey and endport definitions: if there are any objects defined > in the loaded policy we enable the controls, otherwise we disable > them. I think I understand what you're saying Paul, but I'm not clear on the mechanism. Are you referring to the netlabel/IPSEC enable checks? They are wrapped up in selinux_peerlbl_enabled. > >> diff --git a/networkmanager.te b/networkmanager.te >> index 76d0106..5e881f4 100644 >> --- a/networkmanager.te >> +++ b/networkmanager.te >> @@ -184,6 +184,8 @@ userdom_write_user_tmp_sockets(NetworkManager_t) >> userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t) >> userdom_dontaudit_use_user_ttys(NetworkManager_t) >> >> +corenet_ib_access_unlabeled_pkeys(NetworkManager_t) >> + >> optional_policy(` >> avahi_domtrans(NetworkManager_t) >> avahi_kill(NetworkManager_t) >> -- >> 1.7.1
