On 11/27/2017 05:50 PM, Paul Moore wrote:
On Mon, Nov 27, 2017 at 3:04 PM, Daniel Jurgens <danielj@xxxxxxxxxxxx> wrote:
On 11/27/2017 10:19 AM, Paul Moore wrote:
On Mon, Nov 27, 2017 at 9:03 AM, Dan Jurgens <danielj@xxxxxxxxxxxx> wrote:
From: Daniel Jurgens <danielj@xxxxxxxxxxxx>
For controlling IPoIB VLANs
Reported-by: Honggang LI <honli@xxxxxxxxxx>
Signed-off-by: Daniel Jurgens <danielj@xxxxxxxxxxxx>
Tested-by: Honggang LI <honli@xxxxxxxxxx>
---
networkmanager.te | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
[NOTE: resending due to a typo in the refpol mailing list address]
We obviously need something like this now so we don't break IPoIB, but
I wonder if we should make the IB access controls dynamic like the
per-packet network access controls. We could key off the presence of
the IB pkey and endport definitions: if there are any objects defined
in the loaded policy we enable the controls, otherwise we disable
them.
I think I understand what you're saying Paul, but I'm not clear on the mechanism. Are you referring to the netlabel/IPSEC enable checks? They are wrapped up in selinux_peerlbl_enabled.
Basically, yes. We could add a new variable/function that gates the
access control checks in selinux_ib_pkey_access() and
selinux_ib_endport_manage_subnet(); the checks would be enabled when
there was Infiniband configuration loaded with the policy. Without
the IB config loaded, all the checks would end up being just a domain
check against unlabeled_t, which isn't very interesting, so we would
just drop the checks.
As long as it also respects policycap always_check_network, it works for me.
--
Chris PeBenito
