From: Daniel Jurgens <[email protected]>
In order for SELinux to enforce security for Infiniband new security
classes and SIDs are required. Stub policy is provided to not break
the refpolicy build. Useful policy will be submitted once language
extensions for labeling Infiniband objects are available. Linux kernel
patches have been submitted to the linux-security-module, selinux, and
linux-rdma mailing lists with the subject "[PATCH NN/MM] SELinux
support for Infiniband RDMA on 23 Jun 2016".
Daniel Jurgens (1):
flask: Add classes and SIDs for InfiniBand support
policy/flask/access_vectors | 10 ++++++++++
policy/flask/initial_sids | 3 ++-
policy/flask/security_classes | 4 ++++
policy/modules/kernel/infiniband.fc | 1 +
policy/modules/kernel/infiniband.if | 7 +++++++
policy/modules/kernel/infiniband.te | 10 ++++++++++
7 files changed, 35 insertions(+), 2 deletions(-)
create mode 100644 policy/modules/kernel/infiniband.fc
create mode 100644 policy/modules/kernel/infiniband.if
create mode 100644 policy/modules/kernel/infiniband.te
--
1.8.3.1
From: Daniel Jurgens <[email protected]>
Add new classes, access vectors, SIDs required for SELinux to provide
access control for InfiniBand. Add stub policy so refpolicy still
compiles. Useful policy will be added after the SELinux kernel and
userspace changes are in place.
Signed-off-by: Daniel Jurgens <[email protected]>
---
policy/flask/access_vectors | 10 ++++++++++
policy/flask/initial_sids | 3 ++-
policy/flask/security_classes | 4 ++++
policy/modules/kernel/infiniband.fc | 1 +
policy/modules/kernel/infiniband.if | 7 +++++++
policy/modules/kernel/infiniband.te | 10 ++++++++++
7 files changed, 35 insertions(+), 2 deletions(-)
create mode 100644 policy/modules/kernel/infiniband.fc
create mode 100644 policy/modules/kernel/infiniband.if
create mode 100644 policy/modules/kernel/infiniband.te
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 1d045b4..8a08b7d 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -925,6 +925,16 @@ inherits database
set_value
}
+class infiniband_pkey
+{
+ access
+}
+
+class infiniband_end_port
+{
+ smp
+}
+
class db_language
inherits database
{
diff --git a/policy/flask/initial_sids b/policy/flask/initial_sids
index 95894eb..cc62dc6 100644
--- a/policy/flask/initial_sids
+++ b/policy/flask/initial_sids
@@ -31,5 +31,6 @@ sid kmod
sid policy
sid scmp_packet
sid devnull
-
+sid pkey
+sid ib_end_port
# FLASK
diff --git a/policy/flask/security_classes b/policy/flask/security_classes
index 16768c2..5f71cc9 100644
--- a/policy/flask/security_classes
+++ b/policy/flask/security_classes
@@ -139,6 +139,10 @@ class netlink_crypto_socket
class x_pointer # userspace
class x_keyboard # userspace
+# Infiniband
+class infiniband_pkey
+class infiniband_end_port
+
# More Database stuff
class db_schema # userspace
class db_view # userspace
diff --git a/policy/modules/kernel/infiniband.fc b/policy/modules/kernel/infiniband.fc
new file mode 100644
index 0000000..7be4ddf
--- /dev/null
+++ b/policy/modules/kernel/infiniband.fc
@@ -0,0 +1 @@
+# This module currently does not have any file contexts.
diff --git a/policy/modules/kernel/infiniband.if b/policy/modules/kernel/infiniband.if
new file mode 100644
index 0000000..e644895
--- /dev/null
+++ b/policy/modules/kernel/infiniband.if
@@ -0,0 +1,7 @@
+## <summary>Policy controlling access to infiniband objects</summary>
+## <required val="true">
+## Contains the initial SIDs for infiniband objects.
+## </required>
+#
+
+# This module currently does not have any interfaces
diff --git a/policy/modules/kernel/infiniband.te b/policy/modules/kernel/infiniband.te
new file mode 100644
index 0000000..f3a8bbe
--- /dev/null
+++ b/policy/modules/kernel/infiniband.te
@@ -0,0 +1,10 @@
+policy_module(infiniband 1.0.0)
+
+attribute ib_end_port_type;
+attribute pkey_type;
+
+type pkey_t, pkey_type;
+type ib_end_port_t, ib_end_port_type;
+
+sid pkey gen_context(system_u:object_r:pkey_t,s0)
+sid ib_end_port gen_context(system_u:object_r:ib_end_port_t,s0)
--
1.8.3.1
On 06/23/16 15:47, Dan Jurgens wrote:
> From: Daniel Jurgens <[email protected]>
>
> Add new classes, access vectors, SIDs required for SELinux to provide
> access control for InfiniBand. Add stub policy so refpolicy still
> compiles. Useful policy will be added after the SELinux kernel and
> userspace changes are in place.
This will have to wait until the corresponding code changes start making
their way upstream. I don't want to merge any new classes, and even
more so, initial SIDs, until I'm confident it won't be changing.
> Signed-off-by: Daniel Jurgens <[email protected]>
> ---
> policy/flask/access_vectors | 10 ++++++++++
> policy/flask/initial_sids | 3 ++-
> policy/flask/security_classes | 4 ++++
> policy/modules/kernel/infiniband.fc | 1 +
> policy/modules/kernel/infiniband.if | 7 +++++++
> policy/modules/kernel/infiniband.te | 10 ++++++++++
I'm not sure that a new infiniband module makes sense. I could see it
going in corenetwork.
> 7 files changed, 35 insertions(+), 2 deletions(-)
> create mode 100644 policy/modules/kernel/infiniband.fc
> create mode 100644 policy/modules/kernel/infiniband.if
> create mode 100644 policy/modules/kernel/infiniband.te
>
> diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
> index 1d045b4..8a08b7d 100644
> --- a/policy/flask/access_vectors
> +++ b/policy/flask/access_vectors
> @@ -925,6 +925,16 @@ inherits database
> set_value
> }
>
> +class infiniband_pkey
> +{
> + access
> +}
> +
> +class infiniband_end_port
> +{
> + smp
> +}
> +
> class db_language
> inherits database
> {
> diff --git a/policy/flask/initial_sids b/policy/flask/initial_sids
> index 95894eb..cc62dc6 100644
> --- a/policy/flask/initial_sids
> +++ b/policy/flask/initial_sids
> @@ -31,5 +31,6 @@ sid kmod
> sid policy
> sid scmp_packet
> sid devnull
> -
> +sid pkey
> +sid ib_end_port
> # FLASK
> diff --git a/policy/flask/security_classes b/policy/flask/security_classes
> index 16768c2..5f71cc9 100644
> --- a/policy/flask/security_classes
> +++ b/policy/flask/security_classes
> @@ -139,6 +139,10 @@ class netlink_crypto_socket
> class x_pointer # userspace
> class x_keyboard # userspace
>
> +# Infiniband
> +class infiniband_pkey
> +class infiniband_end_port
> +
> # More Database stuff
> class db_schema # userspace
> class db_view # userspace
> diff --git a/policy/modules/kernel/infiniband.fc b/policy/modules/kernel/infiniband.fc
> new file mode 100644
> index 0000000..7be4ddf
> --- /dev/null
> +++ b/policy/modules/kernel/infiniband.fc
> @@ -0,0 +1 @@
> +# This module currently does not have any file contexts.
> diff --git a/policy/modules/kernel/infiniband.if b/policy/modules/kernel/infiniband.if
> new file mode 100644
> index 0000000..e644895
> --- /dev/null
> +++ b/policy/modules/kernel/infiniband.if
> @@ -0,0 +1,7 @@
> +## <summary>Policy controlling access to infiniband objects</summary>
> +## <required val="true">
> +## Contains the initial SIDs for infiniband objects.
> +## </required>
> +#
> +
> +# This module currently does not have any interfaces
> diff --git a/policy/modules/kernel/infiniband.te b/policy/modules/kernel/infiniband.te
> new file mode 100644
> index 0000000..f3a8bbe
> --- /dev/null
> +++ b/policy/modules/kernel/infiniband.te
> @@ -0,0 +1,10 @@
> +policy_module(infiniband 1.0.0)
> +
> +attribute ib_end_port_type;
> +attribute pkey_type;
> +
> +type pkey_t, pkey_type;
> +type ib_end_port_t, ib_end_port_type;
> +
> +sid pkey gen_context(system_u:object_r:pkey_t,s0)
> +sid ib_end_port gen_context(system_u:object_r:ib_end_port_t,s0)
>
--
Chris PeBenito