• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1Infiniband Statements
2=====================
3
4To support access control for InfiniBand (IB) partitions and subnet management, security contexts are provided for: Partition Keys (Pkey) that are 16 bit numbers assigned to subnets and their IB end ports. An overview of the SELinux IB implementation can be found at: [http://marc.info/?l=selinux&m=149519833917911&w=2](http://marc.info/?l=selinux&m=149519833917911&w=2).
5
6ibpkeycon
7---------
8
9Label IB partition keys. This may be a single key or a range.
10
11**Statement definition:**
12
13    (ibpkeycon subnet pkey|(pkey_low pkey_high)  context_id)
14
15**Where:**
16
17<table>
18<colgroup>
19<col width="25%" />
20<col width="75%" />
21</colgroup>
22<tbody>
23<tr class="odd">
24<td align="left"><p><code>ibpkeycon</code></p></td>
25<td align="left"><p>The <code>ibpkeycon</code> keyword.</p></td>
26</tr>
27<tr class="even">
28<td align="left"><p><code>subnet</code></p>
29<td align="left"><p>IP address in IPv6 format.</p>
30</tr>
31<tr class="odd">
32<td align="left"><p><code>pkey | (pkey_low pkey_high)</code></p>
33<td align="left"><p>A single partition key or a range of partition keys.</p>
34</tr>
35<tr class="even">
36<td align="left"><p><code>context_id</code></p></td>
37<td align="left"><p>A previously declared <code>context</code> identifier or an anonymous security context (<code>user role type levelrange</code>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</p></td>
38</tr>
39</tbody>
40</table>
41
42**Example:**
43
44An anonymous context for a partition key range of `0x0-0x10` assigned to an IPv6 subnet:
45
46    (ibpkeycon fe80:: (0 0x10) (system_u system_r kernel_t (low (s3 (cats01 cats02)))))
47
48
49ibendportcon
50------------
51
52Label IB end ports.
53
54**Statement definition:**
55
56    (ibendportcon device_id port context_id)
57
58**Where:**
59
60<table>
61<colgroup>
62<col width="27%" />
63<col width="72%" />
64</colgroup>
65<tbody>
66<tr class="odd">
67<td align="left"><p><code>ibendportcon</code></p></td>
68<td align="left"><p>The <code>ibendportcon</code> keyword.</p></td>
69</tr>
70<tr class="even">
71<td align="left"><p><code>device_id</code></p>
72<td align="left"><p>A single device identifier.</p>
73</tr>
74<tr class="odd">
75<td align="left"><p><code>port</code></p>
76<td align="left"><p>A single port number.</p>
77</tr>
78<tr class="even">
79<td align="left"><p><code>context_id</code></p></td>
80<td align="left"><p>A previously declared <code>context</code> identifier or an anonymous security context (<code>user role type levelrange</code>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</p></td>
81</tr>
82</tbody>
83</table>
84
85**Example:**
86
87A named context for device `mlx5_0` on port `1`:
88
89    (ibendportcon mlx5_0 1 system_u_bin_t_l2h)
90