File: cil_infiniband_statements.md

package info (click to toggle)
android-platform-external-libselinux 10.0.0%2Br36-2
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 34,176 kB
  • sloc: ansic: 147,112; python: 25,790; makefile: 1,930; yacc: 1,389; sh: 1,206; lex: 452; xml: 180
file content (89 lines) | stat: -rw-r--r-- 2,655 bytes parent folder | download | duplicates (5) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
 
Infiniband Statements
=====================

To support access control for InfiniBand (IB) partitions and subnet management, security contexts are provided for: Partition Keys (Pkey) that are 16 bit numbers assigned to subnets and their IB end ports. An overview of the SELinux IB implementation can be found at: [http://marc.info/?l=selinux&m=149519833917911&w=2](http://marc.info/?l=selinux&m=149519833917911&w=2).

ibpkeycon
---------

Label IB partition keys. This may be a single key or a range.

**Statement definition:**

    (ibpkeycon subnet pkey|(pkey_low pkey_high)  context_id)

**Where:**

<table>
<colgroup>
<col width="25%" />
<col width="75%" />
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p><code>ibpkeycon</code></p></td>
<td align="left"><p>The <code>ibpkeycon</code> keyword.</p></td>
</tr>
<tr class="even">
<td align="left"><p><code>subnet</code></p>
<td align="left"><p>IP address in IPv6 format.</p>
</tr>
<tr class="odd">
<td align="left"><p><code>pkey | (pkey_low pkey_high)</code></p>
<td align="left"><p>A single partition key or a range of partition keys.</p>
</tr>
<tr class="even">
<td align="left"><p><code>context_id</code></p></td>
<td align="left"><p>A previously declared <code>context</code> identifier or an anonymous security context (<code>user role type levelrange</code>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</p></td>
</tr>
</tbody>
</table>

**Example:**

An anonymous context for a partition key range of `0x0-0x10` assigned to an IPv6 subnet:

    (ibpkeycon fe80:: (0 0x10) (system_u system_r kernel_t (low (s3 (cats01 cats02)))))


ibendportcon
------------

Label IB end ports.

**Statement definition:**

    (ibendportcon device_id port context_id)

**Where:**

<table>
<colgroup>
<col width="27%" />
<col width="72%" />
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p><code>ibendportcon</code></p></td>
<td align="left"><p>The <code>ibendportcon</code> keyword.</p></td>
</tr>
<tr class="even">
<td align="left"><p><code>device_id</code></p>
<td align="left"><p>A single device identifier.</p>
</tr>
<tr class="odd">
<td align="left"><p><code>port</code></p>
<td align="left"><p>A single port number.</p>
</tr>
<tr class="even">
<td align="left"><p><code>context_id</code></p></td>
<td align="left"><p>A previously declared <code>context</code> identifier or an anonymous security context (<code>user role type levelrange</code>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</p></td>
</tr>
</tbody>
</table>

**Example:**

A named context for device `mlx5_0` on port `1`:

    (ibendportcon mlx5_0 1 system_u_bin_t_l2h)