On Tue, Apr 12, 2016 at 05:06:45PM +0000, Hefty, Sean wrote: > > Wouldn't QP1 require different access control than QP0 due to SA clients > > on every end node ? > > QP1 still allows modification of the fabric (e.g. multicast join) or > an DoS attack against the SA. Though the latter probably requires > restricting how a UD QP may be used. Right, I don't disagree we should have smp and gmp 'just in case' (fine names as well) labels, I just don't really understand why you'd trust something enough to grant gmp but not enough for smp... Particularly encouraging people to grant gmp as though that was 'safe' is really bad advice. Which in turn makes me wonder why the umad dev node label is not sufficient. Jason _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
