Every Infiniband network will have a default pkey, so that is labeled.
The rest of the pkey configuration is network specific. The policy allows
access to the default and unlabeled pkeys for sysadm and staff users.
kernel_t is allowed access to all pkeys, which it needs to process and
route management datagrams.
Endports are all unlabeled by default, sysadm users are allowed to
manage the subnet on unlabeled endports. kernel_t is allowed to manage
the subnet on all ibendports, which is required for configuring the HCA.
This patch requires selinux series: "SELinux user space support for
Infiniband RDMA", due to the new ipkeycon labeling mechanism.
Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
Since the awk scripts appear to use some GNU extensions, make sure we always use $(AWK).
Fixes an issue where the system /usr/bin/awk may be another implementation, say mawk on a Ubuntu system.
selinux_lxc_contexts_path() function in upstream libselinux points to
this config file. It is ATM used by libvirt.
The file from Fedora also contains sandbox_lxc_process and
sandbox_kvm_process parameters, but I cannot find where they are used,
keep them out of the file for the time being.
The libvirt infrastructure requires the availability of the context files.
In this patch, we add the defaults to the three predefined application
contexts (mls/mcs/standard).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The attached patch adds sepgsql_contexts file into appconfig-*
directory. This configuration is used to initial labeling on
installation time for each database objects.
We can easily look up an appropriate label using selabel_loopup(3)
APIs. The 'sepgsql_contexts' is default for SE-PostgreSQL.
Thanks,
--
KaiGai Kohei <kaigai@ak.jp.nec.com>
The Makefile is currently using the policy TYPE (standard|mls|mcs) rather
than the more informative NAME (eg strict, targeted, etc). Fix the Makefile
to use NAME.
The initrc_context file uses the mls_systemhigh macro and needs to be properly
expanded based on the build.conf settings. Add makefile support to do this.