To support access control for InfiniBand (IB) partitions and subnet management, security contexts are provided for: Partition Keys (Pkey) that are 16 bit numbers assigned to subnets and their IB end ports. An overview of the SELinux IB implementation can be found at: http://marc.info/?l=selinux&m=149519833917911&w=2.
Note that there are no terminating semi-colons ';' on these statements.
The ibpkeycon statement is used to label IB partition keys.
It is also possible to add a security context to partition keys outside the policy using the semanage ibpkey command that will associate the pkey (or range of pkeys) to a security context.
The statement definition is:
ibpkeycon subnet pkey pkey_context
Where:
ibpkeycon
The ibpkeycon keyword.
subnet
IP address in IPv6 format.
pkey
Partition key number or range. The range is separated by a hyphen '-'.
pkey_context
The security context for the pkey(s).
The statement is valid in:
Policy Type
| Monolithic Policy | Base Policy | Module Policy |
|---|---|---|
| Yes | Yes | Yes |
Conditional Policy Statements
| if Statement | optional Statement | require Statement |
|---|---|---|
| No | No | No |
Examples:
ibpkeycon fe80:: 0xFFFF system_u:object_r:default_ibpkey_t:s0
ibpkeycon fe80:: 0-0x10 system_u:object_r:public_ibpkey_t:s0
semanage(8) Command example:
semanage ibpkey -a -t default_ibpkey_t -x fe80:: 0xFFFF
The above command will produce the following file: /var/lib/selinux/<SELINUXTYPE>/active/ibpkeys.local in the default <SELINUXTYPE> policy store and then activate the policy:
# This file is auto-generated by libsemanage
# Do not edit directly.
ibpkeycon fe80:: 0xFFFF system_u:object_r:default_ibpkey_t:s0
The ibendportcon statement is used to label IB end ports.
It is also possible to add a security context to ports outside the policy using the semanage ibendport command that will associate the end port to a security context.
The statement definition is:
ibendportcon device_id port_number port_context
Where:
ibendportcon
The ibendportcon keyword.
device_id
Device name
port_number
Single port number.
port_context
The security context for the port.
The statement is valid in:
Policy Type
| Monolithic Policy | Base Policy | Module Policy |
|---|---|---|
| Yes | Yes | Yes |
Conditional Policy Statements
| if Statement | optional Statement | require Statement |
|---|---|---|
| No | No | No |
Examples:
ibendportcon mlx4_0 2 system_u:object_r:opensm_ibendport_t:s0
ibendportcon mlx5_0 1 system_u:object_r:opensm_ibendport_t:s0
semanage(8) Command example:
semanage ibendport -a -t opensm_ibendport_t -z mlx4_0 2
This command will produce the following file /var/lib/selinux/<SELINUXTYPE>/active/ibendports.local in the default <SELINUXTYPE> policy store and then activate the policy:
# This file is auto-generated by libsemanage
# Do not edit directly.
ibendportcon mlx4_0 2 system_u:object_r:opensm_ibendport_t:s0