Discussion:
[PATCH 1/1] networkmanager: Grant access to unlabeled PKeys
Paul Moore
2017-11-27 16:17:38 UTC
Permalink
For controlling IPoIB VLANs
---
networkmanager.te | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
We obviously need something like this now so we don't break IPoIB, but
I wonder if we should make the IB access controls dynamic like the
per-packet network access controls. We could key off the presence of
the IB pkey and endport definitions: if there are any objects defined
in the loaded policy we enable the controls, otherwise we disable
them.
diff --git a/networkmanager.te b/networkmanager.te
index 76d0106..5e881f4 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -184,6 +184,8 @@ userdom_write_user_tmp_sockets(NetworkManager_t)
userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
userdom_dontaudit_use_user_ttys(NetworkManager_t)
+corenet_ib_access_unlabeled_pkeys(NetworkManager_t)
+
optional_policy(`
avahi_domtrans(NetworkManager_t)
avahi_kill(NetworkManager_t)
--
1.7.1
--
paul moore
www.paul-moore.com
Paul Moore
2017-11-27 16:19:38 UTC
Permalink
For controlling IPoIB VLANs
---
networkmanager.te | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
[NOTE: resending due to a typo in the refpol mailing list address]

We obviously need something like this now so we don't break IPoIB, but
I wonder if we should make the IB access controls dynamic like the
per-packet network access controls. We could key off the presence of
the IB pkey and endport definitions: if there are any objects defined
in the loaded policy we enable the controls, otherwise we disable
them.
diff --git a/networkmanager.te b/networkmanager.te
index 76d0106..5e881f4 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -184,6 +184,8 @@ userdom_write_user_tmp_sockets(NetworkManager_t)
userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
userdom_dontaudit_use_user_ttys(NetworkManager_t)
+corenet_ib_access_unlabeled_pkeys(NetworkManager_t)
+
optional_policy(`
avahi_domtrans(NetworkManager_t)
avahi_kill(NetworkManager_t)
--
1.7.1
--
paul moore
www.paul-moore.com
Paul Moore
2017-11-27 22:50:30 UTC
Permalink
Post by Paul Moore
For controlling IPoIB VLANs
---
networkmanager.te | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
[NOTE: resending due to a typo in the refpol mailing list address]
We obviously need something like this now so we don't break IPoIB, but
I wonder if we should make the IB access controls dynamic like the
per-packet network access controls. We could key off the presence of
the IB pkey and endport definitions: if there are any objects defined
in the loaded policy we enable the controls, otherwise we disable
them.
I think I understand what you're saying Paul, but I'm not clear on the mechanism. Are you referring to the netlabel/IPSEC enable checks? They are wrapped up in selinux_peerlbl_enabled.
Basically, yes. We could add a new variable/function that gates the
access control checks in selinux_ib_pkey_access() and
selinux_ib_endport_manage_subnet(); the checks would be enabled when
there was Infiniband configuration loaded with the policy. Without
the IB config loaded, all the checks would end up being just a domain
check against unlabeled_t, which isn't very interesting, so we would
just drop the checks.
--
paul moore
www.paul-moore.com
Chris PeBenito
2017-11-29 01:25:05 UTC
Permalink
Post by Paul Moore
Post by Paul Moore
For controlling IPoIB VLANs
---
networkmanager.te | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
[NOTE: resending due to a typo in the refpol mailing list address]
We obviously need something like this now so we don't break IPoIB, but
I wonder if we should make the IB access controls dynamic like the
per-packet network access controls. We could key off the presence of
the IB pkey and endport definitions: if there are any objects defined
in the loaded policy we enable the controls, otherwise we disable
them.
I think I understand what you're saying Paul, but I'm not clear on the mechanism. Are you referring to the netlabel/IPSEC enable checks? They are wrapped up in selinux_peerlbl_enabled.
Basically, yes. We could add a new variable/function that gates the
access control checks in selinux_ib_pkey_access() and
selinux_ib_endport_manage_subnet(); the checks would be enabled when
there was Infiniband configuration loaded with the policy. Without
the IB config loaded, all the checks would end up being just a domain
check against unlabeled_t, which isn't very interesting, so we would
just drop the checks.
As long as it also respects policycap always_check_network, it works for me.
--
Chris PeBenito
Loading...