From: pebenito@ieee.org (Chris PeBenito) Date: Sat, 25 Jun 2016 13:02:59 -0400 Subject: [refpolicy] [PATCH 1/1] flask: Add classes and SIDs for InfiniBand support In-Reply-To: <1466711268-61413-2-git-send-email-danielj@mellanox.com> References: <1466711268-61413-1-git-send-email-danielj@mellanox.com> <1466711268-61413-2-git-send-email-danielj@mellanox.com> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 06/23/16 15:47, Dan Jurgens wrote: > From: Daniel Jurgens > > Add new classes, access vectors, SIDs required for SELinux to provide > access control for InfiniBand. Add stub policy so refpolicy still > compiles. Useful policy will be added after the SELinux kernel and > userspace changes are in place. This will have to wait until the corresponding code changes start making their way upstream. I don't want to merge any new classes, and even more so, initial SIDs, until I'm confident it won't be changing. > Signed-off-by: Daniel Jurgens > --- > policy/flask/access_vectors | 10 ++++++++++ > policy/flask/initial_sids | 3 ++- > policy/flask/security_classes | 4 ++++ > policy/modules/kernel/infiniband.fc | 1 + > policy/modules/kernel/infiniband.if | 7 +++++++ > policy/modules/kernel/infiniband.te | 10 ++++++++++ I'm not sure that a new infiniband module makes sense. I could see it going in corenetwork. > 7 files changed, 35 insertions(+), 2 deletions(-) > create mode 100644 policy/modules/kernel/infiniband.fc > create mode 100644 policy/modules/kernel/infiniband.if > create mode 100644 policy/modules/kernel/infiniband.te > > diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors > index 1d045b4..8a08b7d 100644 > --- a/policy/flask/access_vectors > +++ b/policy/flask/access_vectors > @@ -925,6 +925,16 @@ inherits database > set_value > } > > +class infiniband_pkey > +{ > + access > +} > + > +class infiniband_end_port > +{ > + smp > +} > + > class db_language > inherits database > { > diff --git a/policy/flask/initial_sids b/policy/flask/initial_sids > index 95894eb..cc62dc6 100644 > --- a/policy/flask/initial_sids > +++ b/policy/flask/initial_sids > @@ -31,5 +31,6 @@ sid kmod > sid policy > sid scmp_packet > sid devnull > - > +sid pkey > +sid ib_end_port > # FLASK > diff --git a/policy/flask/security_classes b/policy/flask/security_classes > index 16768c2..5f71cc9 100644 > --- a/policy/flask/security_classes > +++ b/policy/flask/security_classes > @@ -139,6 +139,10 @@ class netlink_crypto_socket > class x_pointer # userspace > class x_keyboard # userspace > > +# Infiniband > +class infiniband_pkey > +class infiniband_end_port > + > # More Database stuff > class db_schema # userspace > class db_view # userspace > diff --git a/policy/modules/kernel/infiniband.fc b/policy/modules/kernel/infiniband.fc > new file mode 100644 > index 0000000..7be4ddf > --- /dev/null > +++ b/policy/modules/kernel/infiniband.fc > @@ -0,0 +1 @@ > +# This module currently does not have any file contexts. > diff --git a/policy/modules/kernel/infiniband.if b/policy/modules/kernel/infiniband.if > new file mode 100644 > index 0000000..e644895 > --- /dev/null > +++ b/policy/modules/kernel/infiniband.if > @@ -0,0 +1,7 @@ > +##

Policy controlling access to infiniband objects

> +## > +## Contains the initial SIDs for infiniband objects. > +## > +# > + > +# This module currently does not have any interfaces > diff --git a/policy/modules/kernel/infiniband.te b/policy/modules/kernel/infiniband.te > new file mode 100644 > index 0000000..f3a8bbe > --- /dev/null > +++ b/policy/modules/kernel/infiniband.te > @@ -0,0 +1,10 @@ > +policy_module(infiniband 1.0.0) > + > +attribute ib_end_port_type; > +attribute pkey_type; > + > +type pkey_t, pkey_type; > +type ib_end_port_t, ib_end_port_type; > + > +sid pkey gen_context(system_u:object_r:pkey_t,s0) > +sid ib_end_port gen_context(system_u:object_r:ib_end_port_t,s0) > -- Chris PeBenito