On Fri, Jul 1, 2016 at 3:16 PM, Daniel Jurgens <danielj@xxxxxxxxxxxx> wrote: > On 7/1/2016 1:59 PM, Paul Moore wrote: >> On Fri, Jul 1, 2016 at 2:21 PM, Daniel Jurgens <danielj@xxxxxxxxxxxx> wrote: >>> On 7/1/2016 11:29 AM, Paul Moore wrote: >>>> I wondered about this earlier in the patchset when we were discussing >>>> the policy format, and I'm still wondering; perhaps you can help me >>>> understand IB a bit better ... >>>> >>>> From what I gather, the partition key is the IB security boundary, not >>>> the subnet, is that true? If so, why are we including the subnet with >>>> the partition key value/label? I understand the low/high pkey range >>>> as a way of simplifying the policy, but I don't quite understand the >>>> point of tying the subnet to the partition key label. Would you ever >>>> want to have multiple labels for a single partition key, or should it >>>> be a single label for the partition key regardless of the subnet? >>>> >>> Each subnet can have a different partition configuration and a node can be on multiple subnets. By specifying the subnet prefix along with the pkey value the user has flexibility to have different policy for different subnets, instead of a global PKey space that would require coordinating the partition configuration across all subnets. >> Perhaps a better explanation of partitions and subnets are in order, >> especially for those of like me who are new to IB. >> > > A subnet is a set of ports managed by a common subnet manager, which sets up the partition configuration. So there can be multiple partitions inside a subnet and not multiple subnets inside a partition? > A partition is a virtual fabric, similar to an VLAN. Yeah, I've read that in multiple places and I think that is what I find confusing as it doesn't seem to mesh with my understanding of what you are intending. > If there are multiple IB ports each could be connected to a different subnet. Ports are just end points, I get that. That's important, but it isn't helping me understand the relationship between subnets and partitions, that is where I'm struggling at the moment. > By including the subnet prefix in the label the subnets can use the same PKey values and policy can restrict access appropriately. This doesn't make any sense to me right now. > Without that mechanism if one of the subnets had a partition with PKey 1 the other partition couldn't reuse that PKey if a different security policy is desired for that subnet. <blank stare> -- paul moore security @ redhat _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
