Every Infiniband network will have a default pkey, so that is labeled.
The rest of the pkey configuration is network specific. The policy allows
access to the default and unlabeled pkeys for sysadm and staff users.
kernel_t is allowed access to all pkeys, which it needs to process and
route management datagrams.
Endports are all unlabeled by default, sysadm users are allowed to
manage the subnet on unlabeled endports. kernel_t is allowed to manage
the subnet on all ibendports, which is required for configuring the HCA.
This patch requires selinux series: "SELinux user space support for
Infiniband RDMA", due to the new ipkeycon labeling mechanism.
Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
