On Mon, Nov 27, 2017 at 9:03 AM, Dan Jurgens <[email protected]> wrote: > From: Daniel Jurgens <[email protected]> > > For controlling IPoIB VLANs > > Reported-by: Honggang LI <[email protected]> > Signed-off-by: Daniel Jurgens <[email protected]> > Tested-by: Honggang LI <[email protected]> > --- > networkmanager.te | 2 ++ > 1 files changed, 2 insertions(+), 0 deletions(-)
We obviously need something like this now so we don't break IPoIB, but I wonder if we should make the IB access controls dynamic like the per-packet network access controls. We could key off the presence of the IB pkey and endport definitions: if there are any objects defined in the loaded policy we enable the controls, otherwise we disable them. > diff --git a/networkmanager.te b/networkmanager.te > index 76d0106..5e881f4 100644 > --- a/networkmanager.te > +++ b/networkmanager.te > @@ -184,6 +184,8 @@ userdom_write_user_tmp_sockets(NetworkManager_t) > userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t) > userdom_dontaudit_use_user_ttys(NetworkManager_t) > > +corenet_ib_access_unlabeled_pkeys(NetworkManager_t) > + > optional_policy(` > avahi_domtrans(NetworkManager_t) > avahi_kill(NetworkManager_t) > -- > 1.7.1 -- paul moore www.paul-moore.com
