On 11/22/2017 6:03 AM, Honggang LI wrote:
> Hi, Daniel
>
> 409dcf31538a selinux: Add a cache for quicker retreival of PKey SIDs
> ab861dfca165 selinux: Add IB Port SMP access vector
> cfc4d882d417 selinux: Implement Infiniband PKey "Access" access vector
> 3a976fa6767f selinux: Allocate and free infiniband security hooks
> a806f7a1616f selinux: Create policydb version for Infiniband support
> 47a2b338fe63 IB/core: Enforce security on management datagrams
> 8f408ab64be6 selinux lsm IB/core: Implement LSM notification system
> d291f1a65232 IB/core: Enforce PKey security on QPs
> 883c71feaf2e IB/core: IB cache enhancements to support Infiniband security
>
> I think your patchset introduces a regression bug. If we created
> multiple IPoIB VLAN interfaces, the TCP/IP network will be impacted.
>
> 1) Upstream kernel-4.12.0-rc2.409dcf31538a, can't control IPoIB VLAN
> interface over ifdown/ifup. ifup/ifdown over bare IPoIB interface works.
> System Ethernet card can get DHCP IP address and up as expected.
>
> 2) Upstream kernel-4.14.0.0c86a6bd85ff, the TCP/IP network does not
> work at all, as all IP interfaces, which include Ethernet interface and
> IPoIB/VLAN interfaces, will failed to be initialized.
>
> Issue can be reproduced with mlx4/mlx5/qib hardware. IPoIB works
> when selinux disabled.
>
> Please see attachment for details.
>
> thanks
Upstream refpolicy has a patch that allow access to unlabeled PKeys, is it applied in your policy? Even if it is there could additional distro specific changes required, for the unconfined user for example.
https://github.com/TresysTechnology/refpolicy/commit/25a5b2427447eb14edb07ce302217d37528813bc
Apologies if this link is converted into a monstrosity to a Microsoft proxy. It will take you to github.