From: danielj@mellanox.com (Dan Jurgens) Date: Thu, 23 Jun 2016 22:47:48 +0300 Subject: [refpolicy] [PATCH 1/1] flask: Add classes and SIDs for InfiniBand support In-Reply-To: <1466711268-61413-1-git-send-email-danielj@mellanox.com> References: <1466711268-61413-1-git-send-email-danielj@mellanox.com> Message-ID: <1466711268-61413-2-git-send-email-danielj@mellanox.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com From: Daniel Jurgens Add new classes, access vectors, SIDs required for SELinux to provide access control for InfiniBand. Add stub policy so refpolicy still compiles. Useful policy will be added after the SELinux kernel and userspace changes are in place. Signed-off-by: Daniel Jurgens --- policy/flask/access_vectors | 10 ++++++++++ policy/flask/initial_sids | 3 ++- policy/flask/security_classes | 4 ++++ policy/modules/kernel/infiniband.fc | 1 + policy/modules/kernel/infiniband.if | 7 +++++++ policy/modules/kernel/infiniband.te | 10 ++++++++++ 7 files changed, 35 insertions(+), 2 deletions(-) create mode 100644 policy/modules/kernel/infiniband.fc create mode 100644 policy/modules/kernel/infiniband.if create mode 100644 policy/modules/kernel/infiniband.te diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors index 1d045b4..8a08b7d 100644 --- a/policy/flask/access_vectors +++ b/policy/flask/access_vectors @@ -925,6 +925,16 @@ inherits database set_value } +class infiniband_pkey +{ + access +} + +class infiniband_end_port +{ + smp +} + class db_language inherits database { diff --git a/policy/flask/initial_sids b/policy/flask/initial_sids index 95894eb..cc62dc6 100644 --- a/policy/flask/initial_sids +++ b/policy/flask/initial_sids @@ -31,5 +31,6 @@ sid kmod sid policy sid scmp_packet sid devnull - +sid pkey +sid ib_end_port # FLASK diff --git a/policy/flask/security_classes b/policy/flask/security_classes index 16768c2..5f71cc9 100644 --- a/policy/flask/security_classes +++ b/policy/flask/security_classes @@ -139,6 +139,10 @@ class netlink_crypto_socket class x_pointer # userspace class x_keyboard # userspace +# Infiniband +class infiniband_pkey +class infiniband_end_port + # More Database stuff class db_schema # userspace class db_view # userspace diff --git a/policy/modules/kernel/infiniband.fc b/policy/modules/kernel/infiniband.fc new file mode 100644 index 0000000..7be4ddf --- /dev/null +++ b/policy/modules/kernel/infiniband.fc @@ -0,0 +1 @@ +# This module currently does not have any file contexts. diff --git a/policy/modules/kernel/infiniband.if b/policy/modules/kernel/infiniband.if new file mode 100644 index 0000000..e644895 --- /dev/null +++ b/policy/modules/kernel/infiniband.if @@ -0,0 +1,7 @@ +## Policy controlling access to infiniband objects +## +## Contains the initial SIDs for infiniband objects. +## +# + +# This module currently does not have any interfaces diff --git a/policy/modules/kernel/infiniband.te b/policy/modules/kernel/infiniband.te new file mode 100644 index 0000000..f3a8bbe --- /dev/null +++ b/policy/modules/kernel/infiniband.te @@ -0,0 +1,10 @@ +policy_module(infiniband 1.0.0) + +attribute ib_end_port_type; +attribute pkey_type; + +type pkey_t, pkey_type; +type ib_end_port_t, ib_end_port_type; + +sid pkey gen_context(system_u:object_r:pkey_t,s0) +sid ib_end_port gen_context(system_u:object_r:ib_end_port_t,s0) -- 1.8.3.1