From: paul@paul-moore.com (Paul Moore) Date: Mon, 27 Nov 2017 17:50:30 -0500 Subject: [refpolicy] [PATCH 1/1] networkmanager: Grant access to unlabeled PKeys In-Reply-To: <6ced2e0c-e6a3-9481-f20d-ca81027e6d2f@mellanox.com> References: <1511791439-15957-1-git-send-email-danielj@mellanox.com> <6ced2e0c-e6a3-9481-f20d-ca81027e6d2f@mellanox.com> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Mon, Nov 27, 2017 at 3:04 PM, Daniel Jurgens wrote: > On 11/27/2017 10:19 AM, Paul Moore wrote: >> On Mon, Nov 27, 2017 at 9:03 AM, Dan Jurgens wrote: >>> From: Daniel Jurgens >>> >>> For controlling IPoIB VLANs >>> >>> Reported-by: Honggang LI >>> Signed-off-by: Daniel Jurgens >>> Tested-by: Honggang LI >>> --- >>> networkmanager.te | 2 ++ >>> 1 files changed, 2 insertions(+), 0 deletions(-) >> [NOTE: resending due to a typo in the refpol mailing list address] >> >> We obviously need something like this now so we don't break IPoIB, but >> I wonder if we should make the IB access controls dynamic like the >> per-packet network access controls. We could key off the presence of >> the IB pkey and endport definitions: if there are any objects defined >> in the loaded policy we enable the controls, otherwise we disable >> them. > > I think I understand what you're saying Paul, but I'm not clear on the mechanism. Are you referring to the netlabel/IPSEC enable checks? They are wrapped up in selinux_peerlbl_enabled. Basically, yes. We could add a new variable/function that gates the access control checks in selinux_ib_pkey_access() and selinux_ib_endport_manage_subnet(); the checks would be enabled when there was Infiniband configuration loaded with the policy. Without the IB config loaded, all the checks would end up being just a domain check against unlabeled_t, which isn't very interesting, so we would just drop the checks. -- paul moore www.paul-moore.com