selinux/secilc/docs/cil_infiniband_statements.md

Infiniband Statements

To support access control for InfiniBand (IB) partitions and subnet management, security contexts are provided for: Partition Keys (Pkey) that are 16 bit numbers assigned to subnets and their IB end ports. An overview of the SELinux IB implementation can be found at: http://marc.info/?l=selinux&m=149519833917911&w=2.

ibpkeycon

Label IB partition keys. This may be a single key or a range.

Statement definition:

    (ibpkeycon subnet pkey|(pkey_low pkey_high)  context_id)

Where:

ibpkeycon	The ibpkeycon keyword.
subnet	IP address in IPv6 format.
pkey | (pkey_low pkey_high)	A single partition key or a range of partition keys.
context_id	A previously declared context identifier or an anonymous security context (user role type levelrange), the range MUST be defined whether the policy is MLS/MCS enabled or not.

Example:

An anonymous context for a partition key range of 0x0-0x10 assigned to an IPv6 subnet:

    (ibpkeycon fe80:: (0 0x10) (system_u system_r kernel_t (low (s3 (cats01 cats02)))))

ibendportcon

Label IB end ports.

Statement definition:

    (ibendportcon device_id port context_id)

Where:

ibendportcon	The ibendportcon keyword.
device_id	A single device identifier.
port	A single port number.
context_id	A previously declared context identifier or an anonymous security context (user role type levelrange), the range MUST be defined whether the policy is MLS/MCS enabled or not.

Example:

A named context for device mlx5_0 on port 1:

    (ibendportcon mlx5_0 1 system_u_bin_t_l2h)