LinuxLists.cc - [refpolicy] [PATCH v1 1/1] refpolicy: Infiniband pkeys and endports

2017-05-23 14:44:21

Subject: [refpolicy] [PATCH v1 1/1] refpolicy: Infiniband pkeys and endports

From: Daniel Jurgens <[email protected]>

Every Infiniband network will have a default pkey, so that is labeled.
The rest of the pkey configuration is network specific. The policy allows
access to the default and unlabeled pkeys for sysadm and staff users.
kernel_t is allowed access to all pkeys, which it needs to process and
route management datagrams.

Endports are all unlabeled by default, sysadm users are allowed to
manage the subnet on unlabeled endports. kernel_t is allowed to manage
the subnet on all ibendports, which is required for configuring the HCA.

This patch requires selinux series: "SELinux user space support for
Infiniband RDMA", due to the new ipkeycon labeling mechanism.

Signed-off-by: Daniel Jurgens <[email protected]>

---

v1:
Myself:
- Changed default PKey label from s1 to s0.

Chris PeBenito:
- Shorted interface names to corenet_ib_*
- Remove direct referenc to to unlabeled_t in corenet interface file,
now it calls new kernel_ib interfaces.
- Change corenet_ib_*all* interfaces allow for the typeattribute only,
and not unlabeled as well.
- Eliminate unneccesary braces on single access vectors.

---
Makefile | 4 +-
Rules.modular | 2 +
Rules.monolithic | 2 +
policy/flask/access_vectors | 10 +++
policy/flask/security_classes | 4 ++
policy/modules/kernel/corenetwork.if.in | 118 ++++++++++++++++++++++++++++++++
policy/modules/kernel/corenetwork.if.m4 | 64 +++++++++++++++++
policy/modules/kernel/corenetwork.te.in | 19 +++++
policy/modules/kernel/corenetwork.te.m4 | 26 +++++++
policy/modules/kernel/kernel.if | 37 ++++++++++
policy/modules/kernel/kernel.te | 7 ++
policy/modules/roles/staff.te | 4 ++
policy/modules/roles/sysadm.te | 5 ++
support/comment_move_decl.sed | 2 +-
14 files changed, 301 insertions(+), 3 deletions(-)

diff --git a/Makefile b/Makefile
index d19985eb..1804108e 100644
--- a/Makefile
+++ b/Makefile
@@ -76,7 +76,7 @@ SED ?= sed
SORT ?= LC_ALL=C sort
UMASK ?= umask

-CFLAGS += -Wall -Wextra -Werror -O2
+CFLAGS += -Wno-implicit-fallthrough -Wall -Wextra -Werror -O2

# policy source layout
poldir := policy
@@ -370,7 +370,7 @@ $(moddir)/kernel/corenetwork.if: $(moddir)/kernel/corenetwork.te.in $(moddir)/ke
@echo "# $(notdir $@).in or $(notdir $@).m4 file should be modified." >> $@
@echo "#" >> $@
$(verbose) cat [email protected] >> $@
- $(verbose) $(GREP) "^[[:blank:]]*network_(interface|node|port|packet)(_controlled)?$.*$" $< \
+ $(verbose) $(GREP) "^[[:blank:]]*(network_(interface|node|port|packet)(_controlled)?)|ib_(pkey|endport)$.*$" $< \
| $(M4) -D self_contained_policy $(M4PARAM) $(m4divert) [email protected] $(m4undivert) - \
| $(SED) -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@

diff --git a/Rules.modular b/Rules.modular
index 49d3cca9..331a979d 100644
--- a/Rules.modular
+++ b/Rules.modular
@@ -170,6 +170,8 @@ $(tmpdir)/all_post.conf: $(tmpdir)/all_te_files.conf $(tmpdir)/post_te_files.con
$(verbose) $(GREP) ^portcon $(tmpdir)/all_te_files.conf >> $@ || true
$(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $@ || true
$(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $@ || true
+ $(verbose) $(GREP) ^ibpkeycon $(tmpdir)/all_te_files.conf >> $@ || true
+ $(verbose) $(GREP) ^ibendportcon $(tmpdir)/all_te_files.conf >> $@ || true

$(tmpdir)/only_te_rules.conf: $(tmpdir)/all_te_files.conf
$(verbose) $(comment_move_decl) $^ > $@
diff --git a/Rules.monolithic b/Rules.monolithic
index ce112d78..80e00821 100644
--- a/Rules.monolithic
+++ b/Rules.monolithic
@@ -150,6 +150,8 @@ $(tmpdir)/all_post.conf: $(tmpdir)/all_te_files.conf $(tmpdir)/post_te_files.con
$(verbose) $(GREP) ^portcon $(tmpdir)/all_te_files.conf >> $@ || true
$(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $@ || true
$(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $@ || true
+ $(verbose) $(GREP) ^ibpkeycon $(tmpdir)/all_te_files.conf >> $@ || true
+ $(verbose) $(GREP) ^ibendportcon $(tmpdir)/all_te_files.conf >> $@ || true

$(tmpdir)/only_te_rules.conf: $(tmpdir)/all_te_files.conf
$(verbose) $(comment_move_decl) $^ > $@
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 69f69af8..520a3c28 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -926,6 +926,16 @@ inherits database
set_value
}

+class infiniband_pkey
+{
+ access
+}
+
+class infiniband_endport
+{
+ manage_subnet
+}
+
class db_language
inherits database
{
diff --git a/policy/flask/security_classes b/policy/flask/security_classes
index 18f18fd8..393621bf 100644
--- a/policy/flask/security_classes
+++ b/policy/flask/security_classes
@@ -139,6 +139,10 @@ class netlink_crypto_socket
class x_pointer # userspace
class x_keyboard # userspace

+# Infiniband
+class infiniband_pkey
+class infiniband_endport
+
# More Database stuff
class db_schema # userspace
class db_view # userspace
diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
index 2101ea1b..ff3048de 100644
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@@ -3134,3 +3134,121 @@ interface(`corenet_unconfined',`

typeattribute $1 corenet_unconfined_type;
')
+
+########################################
+## <summary>
+## Define type to be an infiniband pkey type
+## </summary>
+## <desc>
+## 
+## Define type to be an infiniband pkey type
+## 
+## 
+## This is for supporting third party modules and its
+## use is not allowed in upstream reference policy.
+## 
+## </desc>
+## <param name="domain">
+## <summary>
+## Type to be used for infiniband pkeys.
+## </summary>
+## </param>
+#
+interface(`corenet_ib_pkey',`
+ gen_require(`
+ attribute ibpkey_type;
+ ')
+
+ typeattribute $1 ibpkey_type;
+')
+
+########################################
+## <summary>
+## Access unlabeled infiniband pkeys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_ib_access_unlabeled_pkeys',`
+ kernel_ib_access_unlabeled_pkeys($1)
+')
+
+########################################
+## <summary>
+## Access all labeled infiniband pkeys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_ib_access_all_pkeys',`
+ gen_require(`
+ attribute ibpkey_type;
+ ')
+
+ allow $1 ibpkey_type:infiniband_pkey access;
+')
+
+########################################
+## <summary>
+## Define type to be an infiniband endport
+## </summary>
+## <desc>
+## 
+## Define type to be an infiniband endport
+## 
+## 
+## This is for supporting third party modules and its
+## use is not allowed in upstream reference policy.
+## 
+## </desc>
+## <param name="domain">
+## <summary>
+## Type to be used for infiniband endports.
+## </summary>
+## </param>
+#
+interface(`corenet_ib_endport',`
+ gen_require(`
+ attribute ibendport_type;
+ ')
+
+ typeattribute $1 ibendport_type;
+')
+
+########################################
+## <summary>
+## Manage subnets on all labeled Infiniband endports
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_ib_manage_subnet_all_endports',`
+ gen_require(`
+ attribute ibendport_type;
+ ')
+
+ allow $1 ibendport_type:infiniband_endport manage_subnet;
+')
+
+########################################
+## <summary>
+## Manage subnet on all unlabeled Infiniband endports
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_ib_manage_subnet_unlabeled_endports',`
+ kernel_ib_manage_subnet_unlabeled_endports($1)
+')
diff --git a/policy/modules/kernel/corenetwork.if.m4 b/policy/modules/kernel/corenetwork.if.m4
index 468fb344..fad84ca9 100644
--- a/policy/modules/kernel/corenetwork.if.m4
+++ b/policy/modules/kernel/corenetwork.if.m4
@@ -776,6 +776,48 @@ interface(`corenet_relabelto_$1_packets',`
')
'') dnl end create_port_interfaces

+define(`create_ibpkey_interfaces',``
+########################################
+## <summary>
+## Access the infiniband fabric on the $1 ibpkey.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_ib_access_$1_pkey',`
+ gen_require(`
+ $3 $1_$2;
+ ')
+
+ allow dollarsone $1_$2:infiniband_pkey access;
+')
+'') dnl end create_ibpkey_interfaces
+
+define(`create_ibendport_interfaces',``
+########################################
+## <summary>
+## Manage the subnet on $1 ibendport.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_ib_manage_subnet_$1_endport',`
+ gen_require(`
+ $3 $1_$2;
+ ')
+
+ allow dollarsone $1_$2:infiniband_endport manage_subnet;
+')
+'') dnl end create_ibendport_interfaces
+
#
# create_netif_*_interfaces(linux_interfacename)
#
@@ -851,3 +893,25 @@ define(`network_packet',`
create_packet_interfaces($1_client)
create_packet_interfaces($1_server)
')
+
+# create_ibpkey_*_interfaces(name, subnet_prefix, pkeynum,mls_sensitivity)
+# (these wrap create_port_interfaces to handle attributes and types)
+define(`create_ibpkey_type_interfaces',`create_ibpkey_interfaces($1,ibpkey_t,type,determine_reserved_capability(shift($*)))')
+
+#
+# ib_pkey(name,subnet_prefix pkeynum mls_sensitivity)
+#
+define(`ib_pkey',`
+create_ibpkey_type_interfaces($*)
+')
+
+# create_ibendport_*_interfaces(name, devname, portnum,mls_sensitivity)
+# (these wrap create_port_interfaces to handle attributes and types)
+define(`create_ibendport_type_interfaces',`create_ibendport_interfaces($1,ibendport_t,type,determine_reserved_capability(shift($*)))')
+
+#
+# ib_endport(name,device_name, portnum mls_sensitivity)
+#
+define(`ib_endport',`
+create_ibendport_type_interfaces($*)
+')
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 1ca96d38..138d147f 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -16,6 +16,8 @@ attribute port_type;
attribute reserved_port_type;
attribute rpc_port_type;
attribute server_packet_type;
+attribute ibpkey_type;
+attribute ibendport_type;
# This is an optimization for { port_type -reserved_port_type }
attribute unreserved_port_type;

@@ -346,6 +348,15 @@ typealias netif_t alias { lo_netif_t netif_lo_t };

########################################
#
+# Infiniband Pkeys
+#
+#
+# unlabeled_t is the default type of infiniband pkeys.
+#
+ib_pkey(default, fe80::,0xFFFF,s0)
+
+########################################
+#
# Unconfined access to this module
#

@@ -358,3 +369,11 @@ allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
# Bind to any network address.
allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket } name_bind;
allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
+
+# Infiniband
+optional_policy(`
+ corenet_ib_access_all_pkeys(corenet_unconfined_type)
+ corenet_ib_manage_subnet_all_endports(corenet_unconfined_type)
+ corenet_ib_access_unlabeled_pkeys(corenet_unconfined_type)
+ corenet_ib_manage_subnet_unlabeled_endports(corenet_unconfined_type)
+')
diff --git a/policy/modules/kernel/corenetwork.te.m4 b/policy/modules/kernel/corenetwork.te.m4
index 3f6e1688..380e64f3 100644
--- a/policy/modules/kernel/corenetwork.te.m4
+++ b/policy/modules/kernel/corenetwork.te.m4
@@ -111,3 +111,29 @@ define(`network_packet',`
type $1_client_packet_t, packet_type, client_packet_type;
type $1_server_packet_t, packet_type, server_packet_type;
')
+
+define(`declare_ibpkeycons',`dnl
+ibpkeycon $2 $3 gen_context(system_u:object_r:$1,$4)
+ifelse(`$5',`',`',`declare_ibpkeycons($1,shiftn(4,$*))')dnl
+')
+
+#
+# ib_pkey(nam, subnet_prefix, pkey_num, mls_sensitivity [,subnet_prefix, pkey_num, mls_sensitivity[,...]])
+#
+define(`ib_pkey',`
+type $1_ibpkey_t, ibpkey_type;
+ifelse(`$2',`',`',`declare_ibpkeycons($1_ibpkey_t,shift($*))')dnl
+')
+
+define(`declare_ibendportcons',`dnl
+ibendportcon $2 $3 gen_context(system_u:object_r:$1,$4)
+ifelse(`$5',`',`',`declare_ibendportcons($1,shiftn(4,$*))')dnl
+')
+
+#
+# ib_endport (name, dev_name, port_num, mls_sensitivity [, dev_name, port_num mls_sensitivity[,...]])
+#
+define(`ib_endport',`
+type $1_ibendport_t, ibendport_type;
+ifelse(`$2',`',`',`declare_ibendportcons($1_ibendport_t,shift($*))')dnl
+')
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 8d23e58c..75d7c477 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -3535,3 +3535,40 @@ interface(`kernel_rw_vm_overcommit_sysctl',`
kernel_search_vm_sysctl($1)
allow $1 sysctl_vm_overcommit_t:file rw_file_perms;
')
+
+########################################
+## <summary>
+## Access unlabeled infiniband pkeys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_ib_access_unlabeled_pkeys',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:infiniband_pkey access;
+')
+
+########################################
+## <summary>
+## Manage subnet on unlabeled Infiniband endports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_ib_manage_subnet_unlabeled_endports',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:infiniband_endport manage_subnet;
+')
+
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 89923242..ee89949a 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -449,6 +449,13 @@ optional_policy(`
unconfined_domain_noaudit(kernel_t)
')

+optional_policy(`
+ corenet_ib_access_all_pkeys(kernel_t)
+ corenet_ib_access_unlabeled_pkeys(kernel_t)
+ corenet_ib_manage_subnet_all_endports(kernel_t)
+ corenet_ib_manage_subnet_unlabeled_endports(kernel_t)
+')
+
########################################
#
# Unlabeled process local policy
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 27c2fffa..8c1ad8b8 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -15,6 +15,10 @@ userdom_unpriv_user_template(staff)
#

optional_policy(`
+ corenet_ib_access_unlabeled_pkeys(staff_t)
+')
+
+optional_policy(`
apache_role(staff_r, staff_t)
')

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 54df4354..21081094 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -277,6 +277,11 @@ optional_policy(`
')

optional_policy(`
+ corenet_ib_access_unlabeled_pkeys(sysadm_t)
+ corenet_ib_manage_subnet_unlabeled_endports(sysadm_t)
+')
+
+optional_policy(`
couchdb_admin(sysadm_t, sysadm_r)
')

diff --git a/support/comment_move_decl.sed b/support/comment_move_decl.sed
index 00b94b6a..90813480 100644
--- a/support/comment_move_decl.sed
+++ b/support/comment_move_decl.sed
@@ -6,7 +6,7 @@
/optional \{/,/} # end optional/b nextline

/^[[:blank:]]*(attribute(_role)?|type(alias)?) /s/^/# this line was moved by the build process: &/
-/^[[:blank:]]*(port|node|netif|genfs)con /s/^/# this line was moved by the build process: &/
+/^[[:blank:]]*(port|node|netif|genfs|ibpkey|ibendport)con /s/^/# this line was moved by the build process: &/
/^[[:blank:]]*fs_use_(xattr|task|trans) /s/^/# this line was moved by the build process: &/
/^[[:blank:]]*sid /s/^/# this line was moved by the build process: &/
/^[[:blank:]]*bool /s/^/# this line was moved by the build process: &/
--
2.12.2

2017-05-24 00:28:24

by Chris PeBenito

[permalink] [raw]

Subject: [refpolicy] [PATCH v1 1/1] refpolicy: Infiniband pkeys and endports

On 05/23/2017 10:44 AM, Dan Jurgens wrote:
> From: Daniel Jurgens <[email protected]>
>
> Every Infiniband network will have a default pkey, so that is labeled.
> The rest of the pkey configuration is network specific. The policy allows
> access to the default and unlabeled pkeys for sysadm and staff users.
> kernel_t is allowed access to all pkeys, which it needs to process and
> route management datagrams.
>
> Endports are all unlabeled by default, sysadm users are allowed to
> manage the subnet on unlabeled endports. kernel_t is allowed to manage
> the subnet on all ibendports, which is required for configuring the HCA.
>
> This patch requires selinux series: "SELinux user space support for
> Infiniband RDMA", due to the new ipkeycon labeling mechanism.
>
> Signed-off-by: Daniel Jurgens <[email protected]>
>
> ---
>
> v1:
> Myself:
> - Changed default PKey label from s1 to s0.
>
> Chris PeBenito:
> - Shorted interface names to corenet_ib_*
> - Remove direct referenc to to unlabeled_t in corenet interface file,
> now it calls new kernel_ib interfaces.
> - Change corenet_ib_*all* interfaces allow for the typeattribute only,
> and not unlabeled as well.
> - Eliminate unneccesary braces on single access vectors.
>
> ---
> Makefile | 4 +-
> Rules.modular | 2 +
> Rules.monolithic | 2 +
> policy/flask/access_vectors | 10 +++
> policy/flask/security_classes | 4 ++
> policy/modules/kernel/corenetwork.if.in | 118 ++++++++++++++++++++++++++++++++
> policy/modules/kernel/corenetwork.if.m4 | 64 +++++++++++++++++
> policy/modules/kernel/corenetwork.te.in | 19 +++++
> policy/modules/kernel/corenetwork.te.m4 | 26 +++++++
> policy/modules/kernel/kernel.if | 37 ++++++++++
> policy/modules/kernel/kernel.te | 7 ++
> policy/modules/roles/staff.te | 4 ++
> policy/modules/roles/sysadm.te | 5 ++
> support/comment_move_decl.sed | 2 +-
> 14 files changed, 301 insertions(+), 3 deletions(-)
>
> diff --git a/Makefile b/Makefile
> index d19985eb..1804108e 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -76,7 +76,7 @@ SED ?= sed
> SORT ?= LC_ALL=C sort
> UMASK ?= umask
>
> -CFLAGS += -Wall -Wextra -Werror -O2
> +CFLAGS += -Wno-implicit-fallthrough -Wall -Wextra -Werror -O2
>
> # policy source layout
> poldir := policy
> @@ -370,7 +370,7 @@ $(moddir)/kernel/corenetwork.if: $(moddir)/kernel/corenetwork.te.in $(moddir)/ke
> @echo "# $(notdir $@).in or $(notdir $@).m4 file should be modified." >> $@
> @echo "#" >> $@
> $(verbose) cat [email protected] >> $@
> - $(verbose) $(GREP) "^[[:blank:]]*network_(interface|node|port|packet)(_controlled)?$.*$" $< \
> + $(verbose) $(GREP) "^[[:blank:]]*(network_(interface|node|port|packet)(_controlled)?)|ib_(pkey|endport)$.*$" $< \
> | $(M4) -D self_contained_policy $(M4PARAM) $(m4divert) [email protected] $(m4undivert) - \
> | $(SED) -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@
>
> diff --git a/Rules.modular b/Rules.modular
> index 49d3cca9..331a979d 100644
> --- a/Rules.modular
> +++ b/Rules.modular
> @@ -170,6 +170,8 @@ $(tmpdir)/all_post.conf: $(tmpdir)/all_te_files.conf $(tmpdir)/post_te_files.con
> $(verbose) $(GREP) ^portcon $(tmpdir)/all_te_files.conf >> $@ || true
> $(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $@ || true
> $(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $@ || true
> + $(verbose) $(GREP) ^ibpkeycon $(tmpdir)/all_te_files.conf >> $@ || true
> + $(verbose) $(GREP) ^ibendportcon $(tmpdir)/all_te_files.conf >> $@ || true
>
> $(tmpdir)/only_te_rules.conf: $(tmpdir)/all_te_files.conf
> $(verbose) $(comment_move_decl) $^ > $@
> diff --git a/Rules.monolithic b/Rules.monolithic
> index ce112d78..80e00821 100644
> --- a/Rules.monolithic
> +++ b/Rules.monolithic
> @@ -150,6 +150,8 @@ $(tmpdir)/all_post.conf: $(tmpdir)/all_te_files.conf $(tmpdir)/post_te_files.con
> $(verbose) $(GREP) ^portcon $(tmpdir)/all_te_files.conf >> $@ || true
> $(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $@ || true
> $(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $@ || true
> + $(verbose) $(GREP) ^ibpkeycon $(tmpdir)/all_te_files.conf >> $@ || true
> + $(verbose) $(GREP) ^ibendportcon $(tmpdir)/all_te_files.conf >> $@ || true
>
> $(tmpdir)/only_te_rules.conf: $(tmpdir)/all_te_files.conf
> $(verbose) $(comment_move_decl) $^ > $@
> diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
> index 69f69af8..520a3c28 100644
> --- a/policy/flask/access_vectors
> +++ b/policy/flask/access_vectors
> @@ -926,6 +926,16 @@ inherits database
> set_value
> }
>
> +class infiniband_pkey
> +{
> + access
> +}
> +
> +class infiniband_endport
> +{
> + manage_subnet
> +}
> +
> class db_language
> inherits database
> {
> diff --git a/policy/flask/security_classes b/policy/flask/security_classes
> index 18f18fd8..393621bf 100644
> --- a/policy/flask/security_classes
> +++ b/policy/flask/security_classes
> @@ -139,6 +139,10 @@ class netlink_crypto_socket
> class x_pointer # userspace
> class x_keyboard # userspace
>
> +# Infiniband
> +class infiniband_pkey
> +class infiniband_endport
> +
> # More Database stuff
> class db_schema # userspace
> class db_view # userspace
> diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
> index 2101ea1b..ff3048de 100644
> --- a/policy/modules/kernel/corenetwork.if.in
> +++ b/policy/modules/kernel/corenetwork.if.in
> @@ -3134,3 +3134,121 @@ interface(`corenet_unconfined',`
>
> typeattribute $1 corenet_unconfined_type;
> ')
> +
> +########################################
> +## <summary>
> +## Define type to be an infiniband pkey type
> +## </summary>
> +## <desc>
> +## 
> +## Define type to be an infiniband pkey type
> +## 
> +## 
> +## This is for supporting third party modules and its
> +## use is not allowed in upstream reference policy.
> +## 
> +## </desc>
> +## <param name="domain">
> +## <summary>
> +## Type to be used for infiniband pkeys.
> +## </summary>
> +## </param>
> +#
> +interface(`corenet_ib_pkey',`
> + gen_require(`
> + attribute ibpkey_type;
> + ')
> +
> + typeattribute $1 ibpkey_type;
> +')
> +
> +########################################
> +## <summary>
> +## Access unlabeled infiniband pkeys.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`corenet_ib_access_unlabeled_pkeys',`
> + kernel_ib_access_unlabeled_pkeys($1)
> +')
> +
> +########################################
> +## <summary>
> +## Access all labeled infiniband pkeys.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`corenet_ib_access_all_pkeys',`
> + gen_require(`
> + attribute ibpkey_type;
> + ')
> +
> + allow $1 ibpkey_type:infiniband_pkey access;
> +')
> +
> +########################################
> +## <summary>
> +## Define type to be an infiniband endport
> +## </summary>
> +## <desc>
> +## 
> +## Define type to be an infiniband endport
> +## 
> +## 
> +## This is for supporting third party modules and its
> +## use is not allowed in upstream reference policy.
> +## 
> +## </desc>
> +## <param name="domain">
> +## <summary>
> +## Type to be used for infiniband endports.
> +## </summary>
> +## </param>
> +#
> +interface(`corenet_ib_endport',`
> + gen_require(`
> + attribute ibendport_type;
> + ')
> +
> + typeattribute $1 ibendport_type;
> +')
> +
> +########################################
> +## <summary>
> +## Manage subnets on all labeled Infiniband endports
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`corenet_ib_manage_subnet_all_endports',`
> + gen_require(`
> + attribute ibendport_type;
> + ')
> +
> + allow $1 ibendport_type:infiniband_endport manage_subnet;
> +')
> +
> +########################################
> +## <summary>
> +## Manage subnet on all unlabeled Infiniband endports
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`corenet_ib_manage_subnet_unlabeled_endports',`
> + kernel_ib_manage_subnet_unlabeled_endports($1)
> +')
> diff --git a/policy/modules/kernel/corenetwork.if.m4 b/policy/modules/kernel/corenetwork.if.m4
> index 468fb344..fad84ca9 100644
> --- a/policy/modules/kernel/corenetwork.if.m4
> +++ b/policy/modules/kernel/corenetwork.if.m4
> @@ -776,6 +776,48 @@ interface(`corenet_relabelto_$1_packets',`
> ')
> '') dnl end create_port_interfaces
>
> +define(`create_ibpkey_interfaces',``
> +########################################
> +## <summary>
> +## Access the infiniband fabric on the $1 ibpkey.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <infoflow type="both" weight="10"/>
> +#
> +interface(`corenet_ib_access_$1_pkey',`
> + gen_require(`
> + $3 $1_$2;
> + ')
> +
> + allow dollarsone $1_$2:infiniband_pkey access;
> +')
> +'') dnl end create_ibpkey_interfaces
> +
> +define(`create_ibendport_interfaces',``
> +########################################
> +## <summary>
> +## Manage the subnet on $1 ibendport.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <infoflow type="both" weight="10"/>
> +#
> +interface(`corenet_ib_manage_subnet_$1_endport',`
> + gen_require(`
> + $3 $1_$2;
> + ')
> +
> + allow dollarsone $1_$2:infiniband_endport manage_subnet;
> +')
> +'') dnl end create_ibendport_interfaces
> +
> #
> # create_netif_*_interfaces(linux_interfacename)
> #
> @@ -851,3 +893,25 @@ define(`network_packet',`
> create_packet_interfaces($1_client)
> create_packet_interfaces($1_server)
> ')
> +
> +# create_ibpkey_*_interfaces(name, subnet_prefix, pkeynum,mls_sensitivity)
> +# (these wrap create_port_interfaces to handle attributes and types)
> +define(`create_ibpkey_type_interfaces',`create_ibpkey_interfaces($1,ibpkey_t,type,determine_reserved_capability(shift($*)))')
> +
> +#
> +# ib_pkey(name,subnet_prefix pkeynum mls_sensitivity)
> +#
> +define(`ib_pkey',`
> +create_ibpkey_type_interfaces($*)
> +')
> +
> +# create_ibendport_*_interfaces(name, devname, portnum,mls_sensitivity)
> +# (these wrap create_port_interfaces to handle attributes and types)
> +define(`create_ibendport_type_interfaces',`create_ibendport_interfaces($1,ibendport_t,type,determine_reserved_capability(shift($*)))')
> +
> +#
> +# ib_endport(name,device_name, portnum mls_sensitivity)
> +#
> +define(`ib_endport',`
> +create_ibendport_type_interfaces($*)
> +')
> diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
> index 1ca96d38..138d147f 100644
> --- a/policy/modules/kernel/corenetwork.te.in
> +++ b/policy/modules/kernel/corenetwork.te.in
> @@ -16,6 +16,8 @@ attribute port_type;
> attribute reserved_port_type;
> attribute rpc_port_type;
> attribute server_packet_type;
> +attribute ibpkey_type;
> +attribute ibendport_type;
> # This is an optimization for { port_type -reserved_port_type }
> attribute unreserved_port_type;
>
> @@ -346,6 +348,15 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
>
> ########################################
> #
> +# Infiniband Pkeys
> +#
> +#
> +# unlabeled_t is the default type of infiniband pkeys.
> +#
> +ib_pkey(default, fe80::,0xFFFF,s0)
> +
> +########################################
> +#
> # Unconfined access to this module
> #
>
> @@ -358,3 +369,11 @@ allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
> # Bind to any network address.
> allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket } name_bind;
> allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
> +
> +# Infiniband
> +optional_policy(`
> + corenet_ib_access_all_pkeys(corenet_unconfined_type)
> + corenet_ib_manage_subnet_all_endports(corenet_unconfined_type)
> + corenet_ib_access_unlabeled_pkeys(corenet_unconfined_type)
> + corenet_ib_manage_subnet_unlabeled_endports(corenet_unconfined_type)
> +')

This shouldn't be optional, as this is referencing its own module, so it
will always be included. The corenet_ib_* calls below don't need to be
optional either as corenet is required for all policies.

> diff --git a/policy/modules/kernel/corenetwork.te.m4 b/policy/modules/kernel/corenetwork.te.m4
> index 3f6e1688..380e64f3 100644
> --- a/policy/modules/kernel/corenetwork.te.m4
> +++ b/policy/modules/kernel/corenetwork.te.m4
> @@ -111,3 +111,29 @@ define(`network_packet',`
> type $1_client_packet_t, packet_type, client_packet_type;
> type $1_server_packet_t, packet_type, server_packet_type;
> ')
> +
> +define(`declare_ibpkeycons',`dnl
> +ibpkeycon $2 $3 gen_context(system_u:object_r:$1,$4)
> +ifelse(`$5',`',`',`declare_ibpkeycons($1,shiftn(4,$*))')dnl
> +')
> +
> +#
> +# ib_pkey(nam, subnet_prefix, pkey_num, mls_sensitivity [,subnet_prefix, pkey_num, mls_sensitivity[,...]])
> +#
> +define(`ib_pkey',`
> +type $1_ibpkey_t, ibpkey_type;
> +ifelse(`$2',`',`',`declare_ibpkeycons($1_ibpkey_t,shift($*))')dnl
> +')
> +
> +define(`declare_ibendportcons',`dnl
> +ibendportcon $2 $3 gen_context(system_u:object_r:$1,$4)
> +ifelse(`$5',`',`',`declare_ibendportcons($1,shiftn(4,$*))')dnl
> +')
> +
> +#
> +# ib_endport (name, dev_name, port_num, mls_sensitivity [, dev_name, port_num mls_sensitivity[,...]])
> +#
> +define(`ib_endport',`
> +type $1_ibendport_t, ibendport_type;
> +ifelse(`$2',`',`',`declare_ibendportcons($1_ibendport_t,shift($*))')dnl
> +')
> diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
> index 8d23e58c..75d7c477 100644
> --- a/policy/modules/kernel/kernel.if
> +++ b/policy/modules/kernel/kernel.if
> @@ -3535,3 +3535,40 @@ interface(`kernel_rw_vm_overcommit_sysctl',`
> kernel_search_vm_sysctl($1)
> allow $1 sysctl_vm_overcommit_t:file rw_file_perms;
> ')
> +
> +########################################
> +## <summary>
> +## Access unlabeled infiniband pkeys.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`kernel_ib_access_unlabeled_pkeys',`
> + gen_require(`
> + type unlabeled_t;
> + ')
> +
> + allow $1 unlabeled_t:infiniband_pkey access;
> +')
> +
> +########################################
> +## <summary>
> +## Manage subnet on unlabeled Infiniband endports.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`kernel_ib_manage_subnet_unlabeled_endports',`
> + gen_require(`
> + type unlabeled_t;
> + ')
> +
> + allow $1 unlabeled_t:infiniband_endport manage_subnet;
> +')
> +
> diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
> index 89923242..ee89949a 100644
> --- a/policy/modules/kernel/kernel.te
> +++ b/policy/modules/kernel/kernel.te
> @@ -449,6 +449,13 @@ optional_policy(`
> unconfined_domain_noaudit(kernel_t)
> ')
>
> +optional_policy(`
> + corenet_ib_access_all_pkeys(kernel_t)
> + corenet_ib_access_unlabeled_pkeys(kernel_t)
> + corenet_ib_manage_subnet_all_endports(kernel_t)
> + corenet_ib_manage_subnet_unlabeled_endports(kernel_t)
> +')
> +
> ########################################
> #
> # Unlabeled process local policy
> diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
> index 27c2fffa..8c1ad8b8 100644
> --- a/policy/modules/roles/staff.te
> +++ b/policy/modules/roles/staff.te
> @@ -15,6 +15,10 @@ userdom_unpriv_user_template(staff)
> #
>
> optional_policy(`
> + corenet_ib_access_unlabeled_pkeys(staff_t)
> +')
> +
> +optional_policy(`
> apache_role(staff_r, staff_t)
> ')
>
> diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
> index 54df4354..21081094 100644
> --- a/policy/modules/roles/sysadm.te
> +++ b/policy/modules/roles/sysadm.te
> @@ -277,6 +277,11 @@ optional_policy(`
> ')
>
> optional_policy(`
> + corenet_ib_access_unlabeled_pkeys(sysadm_t)
> + corenet_ib_manage_subnet_unlabeled_endports(sysadm_t)
> +')
> +
> +optional_policy(`
> couchdb_admin(sysadm_t, sysadm_r)
> ')
>
> diff --git a/support/comment_move_decl.sed b/support/comment_move_decl.sed
> index 00b94b6a..90813480 100644
> --- a/support/comment_move_decl.sed
> +++ b/support/comment_move_decl.sed
> @@ -6,7 +6,7 @@
> /optional \{/,/} # end optional/b nextline
>
> /^[[:blank:]]*(attribute(_role)?|type(alias)?) /s/^/# this line was moved by the build process: &/
> -/^[[:blank:]]*(port|node|netif|genfs)con /s/^/# this line was moved by the build process: &/
> +/^[[:blank:]]*(port|node|netif|genfs|ibpkey|ibendport)con /s/^/# this line was moved by the build process: &/
> /^[[:blank:]]*fs_use_(xattr|task|trans) /s/^/# this line was moved by the build process: &/
> /^[[:blank:]]*sid /s/^/# this line was moved by the build process: &/
> /^[[:blank:]]*bool /s/^/# this line was moved by the build process: &/
>

--
Chris PeBenito