From 51ed8963a91ca0cf0263995205ce5e7ca47d53c2 Mon Sep 17 00:00:00 2001 From: Daniel Jurgens Date: Wed, 24 May 2017 17:14:59 +0300 Subject: refpolicy: Infiniband pkeys and endports Every Infiniband network will have a default pkey, so that is labeled. The rest of the pkey configuration is network specific. The policy allows access to the default and unlabeled pkeys for sysadm and staff users. kernel_t is allowed access to all pkeys, which it needs to process and route management datagrams. Endports are all unlabeled by default, sysadm users are allowed to manage the subnet on unlabeled endports. kernel_t is allowed to manage the subnet on all ibendports, which is required for configuring the HCA. This patch requires selinux series: "SELinux user space support for Infiniband RDMA", due to the new ipkeycon labeling mechanism. Signed-off-by: Daniel Jurgens --- support/comment_move_decl.sed | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'support') diff --git a/support/comment_move_decl.sed b/support/comment_move_decl.sed index 00b94b6ad..90813480d 100644 --- a/support/comment_move_decl.sed +++ b/support/comment_move_decl.sed @@ -6,7 +6,7 @@ /optional \{/,/} # end optional/b nextline /^[[:blank:]]*(attribute(_role)?|type(alias)?) /s/^/# this line was moved by the build process: &/ -/^[[:blank:]]*(port|node|netif|genfs)con /s/^/# this line was moved by the build process: &/ +/^[[:blank:]]*(port|node|netif|genfs|ibpkey|ibendport)con /s/^/# this line was moved by the build process: &/ /^[[:blank:]]*fs_use_(xattr|task|trans) /s/^/# this line was moved by the build process: &/ /^[[:blank:]]*sid /s/^/# this line was moved by the build process: &/ /^[[:blank:]]*bool /s/^/# this line was moved by the build process: &/ -- cgit v1.2.3-65-gdbad