1Infiniband Statements 2===================== 3 4To support access control for InfiniBand (IB) partitions and subnet management, security contexts are provided for: Partition Keys (Pkey) that are 16 bit numbers assigned to subnets and their IB end ports. An overview of the SELinux IB implementation can be found at: [http://marc.info/?l=selinux&m=149519833917911&w=2](http://marc.info/?l=selinux&m=149519833917911&w=2). 5 6ibpkeycon 7--------- 8 9Label IB partition keys. This may be a single key or a range. 10 11**Statement definition:** 12 13```secil 14 (ibpkeycon subnet pkey|(pkey_low pkey_high) context_id) 15``` 16 17**Where:** 18 19<table> 20<colgroup> 21<col width="25%" /> 22<col width="75%" /> 23</colgroup> 24<tbody> 25<tr class="odd"> 26<td align="left"><p><code>ibpkeycon</code></p></td> 27<td align="left"><p>The <code>ibpkeycon</code> keyword.</p></td> 28</tr> 29<tr class="even"> 30<td align="left"><p><code>subnet</code></p> 31<td align="left"><p>IP address in IPv6 format.</p> 32</tr> 33<tr class="odd"> 34<td align="left"><p><code>pkey | (pkey_low pkey_high)</code></p> 35<td align="left"><p>A single partition key or a range of partition keys.</p> 36</tr> 37<tr class="even"> 38<td align="left"><p><code>context_id</code></p></td> 39<td align="left"><p>A previously declared <code>context</code> identifier or an anonymous security context (<code>user role type levelrange</code>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</p></td> 40</tr> 41</tbody> 42</table> 43 44**Example:** 45 46An anonymous context for a partition key range of `0x0-0x10` assigned to an IPv6 subnet: 47 48```secil 49 (ibpkeycon fe80:: (0 0x10) (system_u system_r kernel_t (low (s3 (cats01 cats02))))) 50``` 51 52ibendportcon 53------------ 54 55Label IB end ports. 56 57**Statement definition:** 58 59```secil 60 (ibendportcon device_id port context_id) 61``` 62 63**Where:** 64 65<table> 66<colgroup> 67<col width="27%" /> 68<col width="72%" /> 69</colgroup> 70<tbody> 71<tr class="odd"> 72<td align="left"><p><code>ibendportcon</code></p></td> 73<td align="left"><p>The <code>ibendportcon</code> keyword.</p></td> 74</tr> 75<tr class="even"> 76<td align="left"><p><code>device_id</code></p> 77<td align="left"><p>A single device identifier.</p> 78</tr> 79<tr class="odd"> 80<td align="left"><p><code>port</code></p> 81<td align="left"><p>A single port number.</p> 82</tr> 83<tr class="even"> 84<td align="left"><p><code>context_id</code></p></td> 85<td align="left"><p>A previously declared <code>context</code> identifier or an anonymous security context (<code>user role type levelrange</code>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</p></td> 86</tr> 87</tbody> 88</table> 89 90**Example:** 91 92A named context for device `mlx5_0` on port `1`: 93 94```secil 95 (ibendportcon mlx5_0 1 system_u_bin_t_l2h) 96``` 97