16cd6a6acSopenharmony_ciInfiniband Statements
26cd6a6acSopenharmony_ci=====================
36cd6a6acSopenharmony_ci
46cd6a6acSopenharmony_ciTo support access control for InfiniBand (IB) partitions and subnet management, security contexts are provided for: Partition Keys (Pkey) that are 16 bit numbers assigned to subnets and their IB end ports. An overview of the SELinux IB implementation can be found at: [http://marc.info/?l=selinux&m=149519833917911&w=2](http://marc.info/?l=selinux&m=149519833917911&w=2).
56cd6a6acSopenharmony_ci
66cd6a6acSopenharmony_ciibpkeycon
76cd6a6acSopenharmony_ci---------
86cd6a6acSopenharmony_ci
96cd6a6acSopenharmony_ciLabel IB partition keys. This may be a single key or a range.
106cd6a6acSopenharmony_ci
116cd6a6acSopenharmony_ci**Statement definition:**
126cd6a6acSopenharmony_ci
136cd6a6acSopenharmony_ci```secil
146cd6a6acSopenharmony_ci    (ibpkeycon subnet pkey|(pkey_low pkey_high)  context_id)
156cd6a6acSopenharmony_ci```
166cd6a6acSopenharmony_ci
176cd6a6acSopenharmony_ci**Where:**
186cd6a6acSopenharmony_ci
196cd6a6acSopenharmony_ci<table>
206cd6a6acSopenharmony_ci<colgroup>
216cd6a6acSopenharmony_ci<col width="25%" />
226cd6a6acSopenharmony_ci<col width="75%" />
236cd6a6acSopenharmony_ci</colgroup>
246cd6a6acSopenharmony_ci<tbody>
256cd6a6acSopenharmony_ci<tr class="odd">
266cd6a6acSopenharmony_ci<td align="left"><p><code>ibpkeycon</code></p></td>
276cd6a6acSopenharmony_ci<td align="left"><p>The <code>ibpkeycon</code> keyword.</p></td>
286cd6a6acSopenharmony_ci</tr>
296cd6a6acSopenharmony_ci<tr class="even">
306cd6a6acSopenharmony_ci<td align="left"><p><code>subnet</code></p>
316cd6a6acSopenharmony_ci<td align="left"><p>IP address in IPv6 format.</p>
326cd6a6acSopenharmony_ci</tr>
336cd6a6acSopenharmony_ci<tr class="odd">
346cd6a6acSopenharmony_ci<td align="left"><p><code>pkey | (pkey_low pkey_high)</code></p>
356cd6a6acSopenharmony_ci<td align="left"><p>A single partition key or a range of partition keys.</p>
366cd6a6acSopenharmony_ci</tr>
376cd6a6acSopenharmony_ci<tr class="even">
386cd6a6acSopenharmony_ci<td align="left"><p><code>context_id</code></p></td>
396cd6a6acSopenharmony_ci<td align="left"><p>A previously declared <code>context</code> identifier or an anonymous security context (<code>user role type levelrange</code>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</p></td>
406cd6a6acSopenharmony_ci</tr>
416cd6a6acSopenharmony_ci</tbody>
426cd6a6acSopenharmony_ci</table>
436cd6a6acSopenharmony_ci
446cd6a6acSopenharmony_ci**Example:**
456cd6a6acSopenharmony_ci
466cd6a6acSopenharmony_ciAn anonymous context for a partition key range of `0x0-0x10` assigned to an IPv6 subnet:
476cd6a6acSopenharmony_ci
486cd6a6acSopenharmony_ci```secil
496cd6a6acSopenharmony_ci    (ibpkeycon fe80:: (0 0x10) (system_u system_r kernel_t (low (s3 (cats01 cats02)))))
506cd6a6acSopenharmony_ci```
516cd6a6acSopenharmony_ci
526cd6a6acSopenharmony_ciibendportcon
536cd6a6acSopenharmony_ci------------
546cd6a6acSopenharmony_ci
556cd6a6acSopenharmony_ciLabel IB end ports.
566cd6a6acSopenharmony_ci
576cd6a6acSopenharmony_ci**Statement definition:**
586cd6a6acSopenharmony_ci
596cd6a6acSopenharmony_ci```secil
606cd6a6acSopenharmony_ci    (ibendportcon device_id port context_id)
616cd6a6acSopenharmony_ci```
626cd6a6acSopenharmony_ci
636cd6a6acSopenharmony_ci**Where:**
646cd6a6acSopenharmony_ci
656cd6a6acSopenharmony_ci<table>
666cd6a6acSopenharmony_ci<colgroup>
676cd6a6acSopenharmony_ci<col width="27%" />
686cd6a6acSopenharmony_ci<col width="72%" />
696cd6a6acSopenharmony_ci</colgroup>
706cd6a6acSopenharmony_ci<tbody>
716cd6a6acSopenharmony_ci<tr class="odd">
726cd6a6acSopenharmony_ci<td align="left"><p><code>ibendportcon</code></p></td>
736cd6a6acSopenharmony_ci<td align="left"><p>The <code>ibendportcon</code> keyword.</p></td>
746cd6a6acSopenharmony_ci</tr>
756cd6a6acSopenharmony_ci<tr class="even">
766cd6a6acSopenharmony_ci<td align="left"><p><code>device_id</code></p>
776cd6a6acSopenharmony_ci<td align="left"><p>A single device identifier.</p>
786cd6a6acSopenharmony_ci</tr>
796cd6a6acSopenharmony_ci<tr class="odd">
806cd6a6acSopenharmony_ci<td align="left"><p><code>port</code></p>
816cd6a6acSopenharmony_ci<td align="left"><p>A single port number.</p>
826cd6a6acSopenharmony_ci</tr>
836cd6a6acSopenharmony_ci<tr class="even">
846cd6a6acSopenharmony_ci<td align="left"><p><code>context_id</code></p></td>
856cd6a6acSopenharmony_ci<td align="left"><p>A previously declared <code>context</code> identifier or an anonymous security context (<code>user role type levelrange</code>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</p></td>
866cd6a6acSopenharmony_ci</tr>
876cd6a6acSopenharmony_ci</tbody>
886cd6a6acSopenharmony_ci</table>
896cd6a6acSopenharmony_ci
906cd6a6acSopenharmony_ci**Example:**
916cd6a6acSopenharmony_ci
926cd6a6acSopenharmony_ciA named context for device `mlx5_0` on port `1`:
936cd6a6acSopenharmony_ci
946cd6a6acSopenharmony_ci```secil
956cd6a6acSopenharmony_ci    (ibendportcon mlx5_0 1 system_u_bin_t_l2h)
966cd6a6acSopenharmony_ci```
97