From: danielj@mellanox.com (Daniel Jurgens) Date: Thu, 25 May 2017 00:56:47 +0000 Subject: [refpolicy] [PATCH v2 1/1] refpolicy: Infiniband pkeys and endports References: <1495635299-83167-1-git-send-email-danielj@mellanox.com> <02199d29-78b3-c8d0-60a0-306216de4766@ieee.org> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 5/24/2017 6:58 PM, Chris PeBenito wrote: > On 05/24/2017 10:14 AM, Dan Jurgens wrote: >> From: Daniel Jurgens >> >> Every Infiniband network will have a default pkey, so that is labeled. >> The rest of the pkey configuration is network specific. The policy allows >> access to the default and unlabeled pkeys for sysadm and staff users. >> kernel_t is allowed access to all pkeys, which it needs to process and >> route management datagrams. >> >> Endports are all unlabeled by default, sysadm users are allowed to >> manage the subnet on unlabeled endports. kernel_t is allowed to manage >> the subnet on all ibendports, which is required for configuring the HCA. >> >> This patch requires selinux series: "SELinux user space support for >> Infiniband RDMA", due to the new ipkeycon labeling mechanism. >> >> Signed-off-by: Daniel Jurgens >> > Merged, though I moved some lines. > Thanks Chris!