[refpolicy] [PATCH 0/1] flask: Add classes and SIDs for Infiniband

[refpolicy] [PATCH 0/1] flask: Add classes and SIDs for Infiniband

[Dan Jurgens]

From: Daniel Jurgens <danielj@mellanox.com>

In order for SELinux to enforce security for Infiniband new security
classes and SIDs are required.  Stub policy is provided to not break
the refpolicy build.  Useful policy will be submitted once language
extensions for labeling Infiniband objects are available. Linux kernel
patches have been submitted to the linux-security-module, selinux, and
linux-rdma mailing lists with the subject "[PATCH NN/MM] SELinux 
support for Infiniband RDMA on 23 Jun 2016".

Daniel Jurgens (1):
  flask: Add classes and SIDs for InfiniBand support

 policy/flask/access_vectors         | 10 ++++++++++
 policy/flask/initial_sids           |  3 ++-
 policy/flask/security_classes       |  4 ++++
 policy/modules/kernel/infiniband.fc |  1 +
 policy/modules/kernel/infiniband.if |  7 +++++++
 policy/modules/kernel/infiniband.te | 10 ++++++++++
 7 files changed, 35 insertions(+), 2 deletions(-)
 create mode 100644 policy/modules/kernel/infiniband.fc
 create mode 100644 policy/modules/kernel/infiniband.if
 create mode 100644 policy/modules/kernel/infiniband.te

-- 
1.8.3.1

[refpolicy] [PATCH 1/1] flask: Add classes and SIDs for InfiniBand support

[Dan Jurgens]

From: Daniel Jurgens <danielj@mellanox.com>

Add new classes, access vectors, SIDs required for SELinux to provide
access control for InfiniBand.  Add stub policy so refpolicy still
compiles.  Useful policy will be added after the SELinux kernel and
userspace changes are in place.

Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
---
 policy/flask/access_vectors         | 10 ++++++++++
 policy/flask/initial_sids           |  3 ++-
 policy/flask/security_classes       |  4 ++++
 policy/modules/kernel/infiniband.fc |  1 +
 policy/modules/kernel/infiniband.if |  7 +++++++
 policy/modules/kernel/infiniband.te | 10 ++++++++++
 7 files changed, 35 insertions(+), 2 deletions(-)
 create mode 100644 policy/modules/kernel/infiniband.fc
 create mode 100644 policy/modules/kernel/infiniband.if
 create mode 100644 policy/modules/kernel/infiniband.te

diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 1d045b4..8a08b7d 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -925,6 +925,16 @@ inherits database
 	set_value
 }
 
+class infiniband_pkey
+{
+	access
+}
+
+class infiniband_end_port
+{
+	smp
+}
+
 class db_language
 inherits database
 {
diff --git a/policy/flask/initial_sids b/policy/flask/initial_sids
index 95894eb..cc62dc6 100644
--- a/policy/flask/initial_sids
+++ b/policy/flask/initial_sids
@@ -31,5 +31,6 @@ sid kmod
 sid policy
 sid scmp_packet
 sid devnull
-
+sid pkey
+sid ib_end_port
 # FLASK
diff --git a/policy/flask/security_classes b/policy/flask/security_classes
index 16768c2..5f71cc9 100644
--- a/policy/flask/security_classes
+++ b/policy/flask/security_classes
@@ -139,6 +139,10 @@ class netlink_crypto_socket
 class x_pointer			# userspace
 class x_keyboard		# userspace
 
+# Infiniband
+class infiniband_pkey
+class infiniband_end_port
+
 # More Database stuff
 class db_schema			# userspace
 class db_view			# userspace
diff --git a/policy/modules/kernel/infiniband.fc b/policy/modules/kernel/infiniband.fc
new file mode 100644
index 0000000..7be4ddf
--- /dev/null
+++ b/policy/modules/kernel/infiniband.fc
@@ -0,0 +1 @@
+# This module currently does not have any file contexts.
diff --git a/policy/modules/kernel/infiniband.if b/policy/modules/kernel/infiniband.if
new file mode 100644
index 0000000..e644895
--- /dev/null
+++ b/policy/modules/kernel/infiniband.if
@@ -0,0 +1,7 @@
+## <summary>Policy controlling access to infiniband objects</summary>
+## <required val="true">
+##	Contains the initial SIDs for infiniband objects.
+## </required>
+#
+
+# This module currently does not have any interfaces
diff --git a/policy/modules/kernel/infiniband.te b/policy/modules/kernel/infiniband.te
new file mode 100644
index 0000000..f3a8bbe
--- /dev/null
+++ b/policy/modules/kernel/infiniband.te
@@ -0,0 +1,10 @@
+policy_module(infiniband 1.0.0)
+
+attribute ib_end_port_type;
+attribute pkey_type;
+
+type pkey_t, pkey_type;
+type ib_end_port_t, ib_end_port_type;
+
+sid pkey gen_context(system_u:object_r:pkey_t,s0)
+sid ib_end_port gen_context(system_u:object_r:ib_end_port_t,s0)
-- 
1.8.3.1

[refpolicy] [PATCH 1/1] flask: Add classes and SIDs for InfiniBand support

[Chris PeBenito]

On 06/23/16 15:47, Dan Jurgens wrote:
> From: Daniel Jurgens <danielj@mellanox.com>
>
> Add new classes, access vectors, SIDs required for SELinux to provide
> access control for InfiniBand.  Add stub policy so refpolicy still
> compiles.  Useful policy will be added after the SELinux kernel and
> userspace changes are in place.

This will have to wait until the corresponding code changes start making 
their way upstream.  I don't want to merge any new classes, and even 
more so, initial SIDs, until I'm confident it won't be changing.


> Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
> ---
>  policy/flask/access_vectors         | 10 ++++++++++
>  policy/flask/initial_sids           |  3 ++-
>  policy/flask/security_classes       |  4 ++++
>  policy/modules/kernel/infiniband.fc |  1 +
>  policy/modules/kernel/infiniband.if |  7 +++++++
>  policy/modules/kernel/infiniband.te | 10 ++++++++++

I'm not sure that a new infiniband module makes sense.  I could see it 
going in corenetwork.




>  7 files changed, 35 insertions(+), 2 deletions(-)
>  create mode 100644 policy/modules/kernel/infiniband.fc
>  create mode 100644 policy/modules/kernel/infiniband.if
>  create mode 100644 policy/modules/kernel/infiniband.te
>
> diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
> index 1d045b4..8a08b7d 100644
> --- a/policy/flask/access_vectors
> +++ b/policy/flask/access_vectors
> @@ -925,6 +925,16 @@ inherits database
>  	set_value
>  }
>
> +class infiniband_pkey
> +{
> +	access
> +}
> +
> +class infiniband_end_port
> +{
> +	smp
> +}
> +
>  class db_language
>  inherits database
>  {
> diff --git a/policy/flask/initial_sids b/policy/flask/initial_sids
> index 95894eb..cc62dc6 100644
> --- a/policy/flask/initial_sids
> +++ b/policy/flask/initial_sids
> @@ -31,5 +31,6 @@ sid kmod
>  sid policy
>  sid scmp_packet
>  sid devnull
> -
> +sid pkey
> +sid ib_end_port
>  # FLASK
> diff --git a/policy/flask/security_classes b/policy/flask/security_classes
> index 16768c2..5f71cc9 100644
> --- a/policy/flask/security_classes
> +++ b/policy/flask/security_classes
> @@ -139,6 +139,10 @@ class netlink_crypto_socket
>  class x_pointer			# userspace
>  class x_keyboard		# userspace
>
> +# Infiniband
> +class infiniband_pkey
> +class infiniband_end_port
> +
>  # More Database stuff
>  class db_schema			# userspace
>  class db_view			# userspace
> diff --git a/policy/modules/kernel/infiniband.fc b/policy/modules/kernel/infiniband.fc
> new file mode 100644
> index 0000000..7be4ddf
> --- /dev/null
> +++ b/policy/modules/kernel/infiniband.fc
> @@ -0,0 +1 @@
> +# This module currently does not have any file contexts.
> diff --git a/policy/modules/kernel/infiniband.if b/policy/modules/kernel/infiniband.if
> new file mode 100644
> index 0000000..e644895
> --- /dev/null
> +++ b/policy/modules/kernel/infiniband.if
> @@ -0,0 +1,7 @@
> +## <summary>Policy controlling access to infiniband objects</summary>
> +## <required val="true">
> +##	Contains the initial SIDs for infiniband objects.
> +## </required>
> +#
> +
> +# This module currently does not have any interfaces
> diff --git a/policy/modules/kernel/infiniband.te b/policy/modules/kernel/infiniband.te
> new file mode 100644
> index 0000000..f3a8bbe
> --- /dev/null
> +++ b/policy/modules/kernel/infiniband.te
> @@ -0,0 +1,10 @@
> +policy_module(infiniband 1.0.0)
> +
> +attribute ib_end_port_type;
> +attribute pkey_type;
> +
> +type pkey_t, pkey_type;
> +type ib_end_port_t, ib_end_port_type;
> +
> +sid pkey gen_context(system_u:object_r:pkey_t,s0)
> +sid ib_end_port gen_context(system_u:object_r:ib_end_port_t,s0)
>


-- 
Chris PeBenito

[refpolicy] [PATCH 1/1] flask: Add classes and SIDs for InfiniBand support

[Daniel Jurgens]

On 6/25/2016 12:02 PM, Chris PeBenito wrote:
> On 06/23/16 15:47, Dan Jurgens wrote:
>> From: Daniel Jurgens <danielj@mellanox.com>
>>
>> Add new classes, access vectors, SIDs required for SELinux to provide
>> access control for InfiniBand.  Add stub policy so refpolicy still
>> compiles.  Useful policy will be added after the SELinux kernel and
>> userspace changes are in place.
> 
> This will have to wait until the corresponding code changes start making
> their way upstream.  I don't want to merge any new classes, and even
> more so, initial SIDs, until I'm confident it won't be changing.

Sure, I will resubmit after the kernel changes are accepted upstream.

> 
> I'm not sure that a new infiniband module makes sense.  I could see it
> going in corenetwork.
> 

I can move it there when I do resubmit.