Home | History | Annotate | Download | only in docs 
      1 Infiniband Statements
      2 =====================
      3 
      4 To support access control for InfiniBand (IB) partitions and subnet management, security contexts are provided for: Partition Keys (Pkey) that are 16 bit numbers assigned to subnets and their IB end ports. An overview of the SELinux IB implementation can be found at: [http://marc.info/?l=selinux&m=149519833917911&w=2](http://marc.info/?l=selinux&m=149519833917911&w=2).
      5 
      6 ibpkeycon
      7 ---------
      8 
      9 Label IB partition keys. This may be a single key or a range.
     10 
     11 **Statement definition:**
     12 
     13     (ibpkeycon subnet pkey|(pkey_low pkey_high)  context_id)
     14 
     15 **Where:**
     16 
     17 <table>
     18 <colgroup>
     19 <col width="25%" />
     20 <col width="75%" />
     21 </colgroup>
     22 <tbody>
     23 <tr class="odd">
     24 <td align="left"><p><code>ibpkeycon</code></p></td>
     25 <td align="left"><p>The <code>ibpkeycon</code> keyword.</p></td>
     26 </tr>
     27 <tr class="even">
     28 <td align="left"><p><code>subnet</code></p>
     29 <td align="left"><p>IP address in IPv6 format.</p>
     30 </tr>
     31 <tr class="odd">
     32 <td align="left"><p><code>pkey | (pkey_low pkey_high)</code></p>
     33 <td align="left"><p>A single partition key or a range of partition keys.</p>
     34 </tr>
     35 <tr class="even">
     36 <td align="left"><p><code>context_id</code></p></td>
     37 <td align="left"><p>A previously declared <code>context</code> identifier or an anonymous security context (<code>user role type levelrange</code>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</p></td>
     38 </tr>
     39 </tbody>
     40 </table>
     41 
     42 **Example:**
     43 
     44 An anonymous context for a partition key range of `0x0-0x10` assigned to an IPv6 subnet:
     45 
     46     (ibpkeycon fe80:: (0 0x10) (system_u system_r kernel_t (low (s3 (cats01 cats02)))))
     47 
     48 
     49 ibendportcon
     50 ------------
     51 
     52 Label IB end ports.
     53 
     54 **Statement definition:**
     55 
     56     (ibendportcon device_id port context_id)
     57 
     58 **Where:**
     59 
     60 <table>
     61 <colgroup>
     62 <col width="27%" />
     63 <col width="72%" />
     64 </colgroup>
     65 <tbody>
     66 <tr class="odd">
     67 <td align="left"><p><code>ibendportcon</code></p></td>
     68 <td align="left"><p>The <code>ibendportcon</code> keyword.</p></td>
     69 </tr>
     70 <tr class="even">
     71 <td align="left"><p><code>device_id</code></p>
     72 <td align="left"><p>A single device identifier.</p>
     73 </tr>
     74 <tr class="odd">
     75 <td align="left"><p><code>port</code></p>
     76 <td align="left"><p>A single port number.</p>
     77 </tr>
     78 <tr class="even">
     79 <td align="left"><p><code>context_id</code></p></td>
     80 <td align="left"><p>A previously declared <code>context</code> identifier or an anonymous security context (<code>user role type levelrange</code>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</p></td>
     81 </tr>
     82 </tbody>
     83 </table>
     84 
     85 **Example:**
     86 
     87 A named context for device `mlx5_0` on port `1`:
     88 
     89     (ibendportcon mlx5_0 1 system_u_bin_t_l2h)
     90