On Mon, Nov 27, 2017 at 9:03 AM, Dan Jurgens <[email protected]> wrote:
> From: Daniel Jurgens <[email protected]>
>
> For controlling IPoIB VLANs
>
> Reported-by: Honggang LI <[email protected]>
> Signed-off-by: Daniel Jurgens <[email protected]>
> Tested-by: Honggang LI <[email protected]>
> ---
> networkmanager.te | 2 ++
> 1 files changed, 2 insertions(+), 0 deletions(-)
[NOTE: resending due to a typo in the refpol mailing list address]
We obviously need something like this now so we don't break IPoIB, but
I wonder if we should make the IB access controls dynamic like the
per-packet network access controls. We could key off the presence of
the IB pkey and endport definitions: if there are any objects defined
in the loaded policy we enable the controls, otherwise we disable
them.
> diff --git a/networkmanager.te b/networkmanager.te
> index 76d0106..5e881f4 100644
> --- a/networkmanager.te
> +++ b/networkmanager.te
> @@ -184,6 +184,8 @@ userdom_write_user_tmp_sockets(NetworkManager_t)
> userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
> userdom_dontaudit_use_user_ttys(NetworkManager_t)
>
> +corenet_ib_access_unlabeled_pkeys(NetworkManager_t)
> +
> optional_policy(`
> avahi_domtrans(NetworkManager_t)
> avahi_kill(NetworkManager_t)
> --
> 1.7.1
--
paul moore
http://www.paul-moore.com
On 11/27/2017 10:19 AM, Paul Moore wrote:
> On Mon, Nov 27, 2017 at 9:03 AM, Dan Jurgens <[email protected]> wrote:
>> From: Daniel Jurgens <[email protected]>
>>
>> For controlling IPoIB VLANs
>>
>> Reported-by: Honggang LI <[email protected]>
>> Signed-off-by: Daniel Jurgens <[email protected]>
>> Tested-by: Honggang LI <[email protected]>
>> ---
>> networkmanager.te | 2 ++
>> 1 files changed, 2 insertions(+), 0 deletions(-)
> [NOTE: resending due to a typo in the refpol mailing list address]
>
> We obviously need something like this now so we don't break IPoIB, but
> I wonder if we should make the IB access controls dynamic like the
> per-packet network access controls. We could key off the presence of
> the IB pkey and endport definitions: if there are any objects defined
> in the loaded policy we enable the controls, otherwise we disable
> them.
I think I understand what you're saying Paul, but I'm not clear on the mechanism.? Are you referring to the netlabel/IPSEC enable checks? They are wrapped up in selinux_peerlbl_enabled.
>
>> diff --git a/networkmanager.te b/networkmanager.te
>> index 76d0106..5e881f4 100644
>> --- a/networkmanager.te
>> +++ b/networkmanager.te
>> @@ -184,6 +184,8 @@ userdom_write_user_tmp_sockets(NetworkManager_t)
>> userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
>> userdom_dontaudit_use_user_ttys(NetworkManager_t)
>>
>> +corenet_ib_access_unlabeled_pkeys(NetworkManager_t)
>> +
>> optional_policy(`
>> avahi_domtrans(NetworkManager_t)
>> avahi_kill(NetworkManager_t)
>> --
>> 1.7.1
On Mon, Nov 27, 2017 at 3:04 PM, Daniel Jurgens <[email protected]> wrote:
> On 11/27/2017 10:19 AM, Paul Moore wrote:
>> On Mon, Nov 27, 2017 at 9:03 AM, Dan Jurgens <[email protected]> wrote:
>>> From: Daniel Jurgens <[email protected]>
>>>
>>> For controlling IPoIB VLANs
>>>
>>> Reported-by: Honggang LI <[email protected]>
>>> Signed-off-by: Daniel Jurgens <[email protected]>
>>> Tested-by: Honggang LI <[email protected]>
>>> ---
>>> networkmanager.te | 2 ++
>>> 1 files changed, 2 insertions(+), 0 deletions(-)
>> [NOTE: resending due to a typo in the refpol mailing list address]
>>
>> We obviously need something like this now so we don't break IPoIB, but
>> I wonder if we should make the IB access controls dynamic like the
>> per-packet network access controls. We could key off the presence of
>> the IB pkey and endport definitions: if there are any objects defined
>> in the loaded policy we enable the controls, otherwise we disable
>> them.
>
> I think I understand what you're saying Paul, but I'm not clear on the mechanism. Are you referring to the netlabel/IPSEC enable checks? They are wrapped up in selinux_peerlbl_enabled.
Basically, yes. We could add a new variable/function that gates the
access control checks in selinux_ib_pkey_access() and
selinux_ib_endport_manage_subnet(); the checks would be enabled when
there was Infiniband configuration loaded with the policy. Without
the IB config loaded, all the checks would end up being just a domain
check against unlabeled_t, which isn't very interesting, so we would
just drop the checks.
--
paul moore
http://www.paul-moore.com
On 11/27/2017 05:50 PM, Paul Moore wrote:
> On Mon, Nov 27, 2017 at 3:04 PM, Daniel Jurgens <[email protected]> wrote:
>> On 11/27/2017 10:19 AM, Paul Moore wrote:
>>> On Mon, Nov 27, 2017 at 9:03 AM, Dan Jurgens <[email protected]> wrote:
>>>> From: Daniel Jurgens <[email protected]>
>>>>
>>>> For controlling IPoIB VLANs
>>>>
>>>> Reported-by: Honggang LI <[email protected]>
>>>> Signed-off-by: Daniel Jurgens <[email protected]>
>>>> Tested-by: Honggang LI <[email protected]>
>>>> ---
>>>> networkmanager.te | 2 ++
>>>> 1 files changed, 2 insertions(+), 0 deletions(-)
>>> [NOTE: resending due to a typo in the refpol mailing list address]
>>>
>>> We obviously need something like this now so we don't break IPoIB, but
>>> I wonder if we should make the IB access controls dynamic like the
>>> per-packet network access controls. We could key off the presence of
>>> the IB pkey and endport definitions: if there are any objects defined
>>> in the loaded policy we enable the controls, otherwise we disable
>>> them.
>>
>> I think I understand what you're saying Paul, but I'm not clear on the mechanism. Are you referring to the netlabel/IPSEC enable checks? They are wrapped up in selinux_peerlbl_enabled.
>
> Basically, yes. We could add a new variable/function that gates the
> access control checks in selinux_ib_pkey_access() and
> selinux_ib_endport_manage_subnet(); the checks would be enabled when
> there was Infiniband configuration loaded with the policy. Without
> the IB config loaded, all the checks would end up being just a domain
> check against unlabeled_t, which isn't very interesting, so we would
> just drop the checks.
As long as it also respects policycap always_check_network, it works for me.
--
Chris PeBenito