diff --git a/secilc/docs/Makefile b/secilc/docs/Makefile index 52c74357..c0fa6b7f 100644 --- a/secilc/docs/Makefile +++ b/secilc/docs/Makefile @@ -23,6 +23,7 @@ FILE_LIST ?= cil_introduction.md \ cil_sid_statements.md \ cil_type_statements.md \ cil_user_statements.md \ + cil_infiniband_statements.md \ cil_xen_statements.md PANDOC_FILE_LIST = $(addprefix $(TMPDIR)/,$(FILE_LIST)) diff --git a/secilc/docs/README.md b/secilc/docs/README.md index aada78f4..3f1838e6 100644 --- a/secilc/docs/README.md +++ b/secilc/docs/README.md @@ -144,6 +144,10 @@ CIL (Common Intermediate Language) * [selinuxuser](cil_user_statements.md#selinuxuser) * [selinuxuserdefault](cil_user_statements.md#selinuxuserdefault) +* [Infiniband Statements](cil_infiniband_statements.md#infiniband-statements) + * [ibpkeycon](cil_infiniband_statements.md#ibpkeycon) + * [ibendportcon](cil_infiniband_statements.md#ibendportcon) + * [Xen Statements](cil_xen_statements.md#xen-statements) * [iomemcon](cil_xen_statements.md#iomemcon) * [ioportcon](cil_xen_statements.md#ioportcon) diff --git a/secilc/docs/cil_infiniband_statements.md b/secilc/docs/cil_infiniband_statements.md new file mode 100644 index 00000000..ba1d7101 --- /dev/null +++ b/secilc/docs/cil_infiniband_statements.md @@ -0,0 +1,89 @@ +Infiniband Statements +===================== + +To support access control for InfiniBand (IB) partitions and subnet management, security contexts are provided for: Partition Keys (Pkey) that are 16 bit numbers assigned to subnets and their IB end ports. An overview of the SELinux IB implementation can be found at: [http://marc.info/?l=selinux&m=149519833917911&w=2](http://marc.info/?l=selinux&m=149519833917911&w=2). + +ibpkeycon +--------- + +Label IB partition keys. This may be a single key or a range. + +**Statement definition:** + + (ibpkeycon subnet pkey|(pkey_low pkey_high) context_id) + +**Where:** + + ++++ + + + + + + + + + + + + + + +

ibpkeycon

The ibpkeycon keyword.

subnet

+

IP address in IPv6 format.

+

pkey | (pkey_low pkey_high)

+

A single partition key or a range of partition keys.

+

context_id

A previously declared context identifier or an anonymous security context (user role type levelrange), the range MUST be defined whether the policy is MLS/MCS enabled or not.

+ +**Example:** + +An anonymous context for a partition key range of `0x0-0x10` assigned to an IPv6 subnet: + + (ibpkeycon fe80:: (0 0x10) (system_u system_r kernel_t (low (s3 (cats01 cats02))))) + + +ibendportcon +------------ + +Label IB end ports. + +**Statement definition:** + + (ibendportcon device_id port context_id) + +**Where:** + + ++++ + + + + + + + + + + + + + + +

ibendportcon

The ibendportcon keyword.

device_id

+

A single device identifier.

+

port

+

A single port number.

+

context_id

A previously declared context identifier or an anonymous security context (user role type levelrange), the range MUST be defined whether the policy is MLS/MCS enabled or not.

+ +**Example:** + +A named context for device `mlx5_0` on port `1`: + + (ibendportcon mlx5_0 1 system_u_bin_t_l2h) diff --git a/secilc/test/policy.cil b/secilc/test/policy.cil index 20783992..4c37ecca 100644 --- a/secilc/test/policy.cil +++ b/secilc/test/policy.cil @@ -282,6 +282,12 @@ (pcidevicecon 345 system_u_bin_t_l2h) (devicetreecon "/this is/a/path" system_u_bin_t_l2h) + ; InfiniBand + (ibpkeycon fe80:: (0 0x10) system_u_bin_t_l2h) + (ibpkeycon fe80::7629:afff:fe0f:8e5d (15 25) (system_u system_r kernel_t (low (s3 (cats01 cats02))))) + (ibendportcon mlx5_0 1 system_u_bin_t_l2h) + (ibendportcon mlx4_3 5 (system_u system_r kernel_t (low (s3 (cats01 cats02))))) + (constrain (files (read)) (not (or (and (eq t1 exec_t) (eq t2 bin_t)) (eq r1 r2)))) (constrain char_w (not (or (and (eq t1 exec_t) (eq t2 bin_t)) (eq r1 r2))))