On Thu, Sep 08, 2016 at 04:44:36PM +0000, Daniel Jurgens wrote: > Net has variety of means of enforcement, one of which is controlling > access to ports <tcp/udp,port number>, which is the most like what > I'm doing here. No, the analog the tcp/udp,port number is <ib, service_id> > It will work like any other SELinux policy. You label the things > you want to control with a type and setup rules about which > roles/types can interact with them and how. I'm sure the default > policy from distros will be to not restrict access. Policy is > loaded into the kernel, the disk and filesystem has nothing to do Eh? I thought the main utility of selinux was using the labels written to the filesystem to constrain access, eg I might label /usr/bin/apache in a way that gets the <tcp,80> policy applied to it. > with this aside from it being where the policy is stored before > being loaded. What is this dynamic injector you are talking about? The container projects (eg docker) somehow setup selinux on the fly for each container. I'm not sure how. > Assume you have machines on one subnet (0xfe80::) one has a device > called mlx5_0, the another mlx4_0 and you want to grant access to > system administrators. So do this in userspace? Why should the kernel do the translation? Jason -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
