On Thu, Sep 1, 2016 at 12:34 PM, Jason Gunthorpe <jgunthorpe@xxxxxxxxxxxxxxxxxxxx> wrote: > On Tue, Aug 30, 2016 at 07:10:12PM +0000, Daniel Jurgens wrote: >> On 8/30/2016 1:56 PM, Jason Gunthorpe wrote: >> > >> > Are subsystems usually SELinux enabled in such a piecemeal way? >> > >> > Are you sure the 'partition' SELinux label should not be more general >> > to cover more of the similar RDMA cases? > >> In order to label something you have to be able to describe >> something unique about an instance of it, like a Subnet Prefix/PKey >> value pair. What other thing could we label more generally to >> control access to a partition/VLAN? > > IP prefix / vlan #? How does it work in net? > > Shouldn't you at least have a plan for how this will expand to cover > the whole subsystem?? Jason and/or Daniel, I think it would be helpful if you could explain both the InifiniBand and IP based approaches for those of us who know SELinux, but not necessarily the RDMA and InfiniBand portions of this discussion. Be verbose and explain it as if we were idiots (I get called that enough, it must be true). -- paul moore www.paul-moore.com -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
