refpolicy: Infiniband pkeys and endports

Every Infiniband network will have a default pkey, so that is labeled.
The rest of the pkey configuration is network specific. The policy allows
access to the default and unlabeled pkeys for sysadm and staff users.
kernel_t is allowed access to all pkeys, which it needs to process and
route management datagrams.

Endports are all unlabeled by default, sysadm users are allowed to
manage the subnet on unlabeled endports. kernel_t is allowed to manage
the subnet on all ibendports, which is required for configuring the HCA.

This patch requires selinux series: "SELinux user space support for
Infiniband RDMA", due to the new ipkeycon labeling mechanism.

Signed-off-by: Daniel Jurgens <danielj@mellanox.com>

2 files changed, 14 insertions, 0 deletions

diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 7652a313..f20e5c1e 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -927,6 +927,16 @@ inherits database
 	set_value
 }
 
+class infiniband_pkey
+{
+	access
+}
+
+class infiniband_endport
+{
+	manage_subnet
+}
+
 class db_language
 inherits database
 {
diff --git a/policy/flask/security_classes b/policy/flask/security_classes
index 18c4f974..ce3268da 100644
--- a/policy/flask/security_classes
+++ b/policy/flask/security_classes
@@ -139,6 +139,10 @@ class netlink_crypto_socket
 class x_pointer			# userspace
 class x_keyboard		# userspace
 
+# Infiniband
+class infiniband_pkey
+class infiniband_endport
+
 # More Database stuff
 class db_schema			# userspace
 class db_view			# userspace