Infiniband Statements
=====================

To support access control for InfiniBand (IB) partitions and subnet management, security contexts are provided for: Partition Keys (Pkey) that are 16 bit numbers assigned to subnets and their IB end ports. An overview of the SELinux IB implementation can be found at: [http://marc.info/?l=selinux&m=149519833917911&w=2](http://marc.info/?l=selinux&m=149519833917911&w=2).

ibpkeycon
---------

Label IB partition keys. This may be a single key or a range.

**Statement definition:**

```secil
    (ibpkeycon subnet pkey|(pkey_low pkey_high)  context_id)
```

**Where:**











ibpkeycon


The ibpkeycon keyword.






subnet


IP address in IPv6 format.






pkey | (pkey_low pkey_high)


A single partition key or a range of partition keys.






context_id


A previously declared context identifier or an anonymous security context (user role type levelrange), the range MUST be defined whether the policy is MLS/MCS enabled or not.







**Example:**

An anonymous context for a partition key range of `0x0-0x10` assigned to an IPv6 subnet:

```secil
    (ibpkeycon fe80:: (0 0x10) (system_u system_r kernel_t (low (s3 (cats01 cats02)))))
```

ibendportcon
------------

Label IB end ports.

**Statement definition:**

```secil
    (ibendportcon device_id port context_id)
```

**Where:**











ibendportcon


The ibendportcon keyword.






device_id


A single device identifier.






port


A single port number.






context_id


A previously declared context identifier or an anonymous security context (user role type levelrange), the range MUST be defined whether the policy is MLS/MCS enabled or not.







**Example:**

A named context for device `mlx5_0` on port `1`:

```secil
    (ibendportcon mlx5_0 1 system_u_bin_t_l2h)
```