Commit Graph

5 Commits

Author SHA1 Message Date
Daniel Jurgens
25a5b24274 refpolicy: Infiniband pkeys and endports
Every Infiniband network will have a default pkey, so that is labeled.
The rest of the pkey configuration is network specific. The policy allows
access to the default and unlabeled pkeys for sysadm and staff users.
kernel_t is allowed access to all pkeys, which it needs to process and
route management datagrams.

Endports are all unlabeled by default, sysadm users are allowed to
manage the subnet on unlabeled endports. kernel_t is allowed to manage
the subnet on all ibendports, which is required for configuring the HCA.

This patch requires selinux series: "SELinux user space support for
Infiniband RDMA", due to the new ipkeycon labeling mechanism.

Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
2017-05-24 19:23:18 -04:00
Harry Ciao
46acfdd455 Move role declarations to the top of base.conf
system_r is required by the policy_module macro, which however will
be expanded as empty if the module is built into base.pp. system_r
is defined in the kernel.te, its definition should be moved to the
top of base.conf so that other modules copied earlier into base.conf
than kernel.te could reference system_r in their unconditional block
properly.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
2012-02-29 12:08:22 -05:00
Chris PeBenito
2dd113f11c Move attribute_role decls to top of policy.conf/base.conf. 2011-09-21 08:26:56 -04:00
Chris PeBenito
f6ddd6b9b7 bools in modules fix to require the boolean in optionals that are part of the base module, and move bool declarations in the base module/monolithic 2007-03-30 12:43:15 +00:00
Chris PeBenito
17de1b790b remove extra level of directory 2006-07-12 20:32:27 +00:00