On Fri, Jul 1, 2016 at 3:57 PM, Daniel Jurgens <danielj@xxxxxxxxxxxx> wrote: > On 7/1/2016 2:26 PM, Paul Moore wrote: >> On Fri, Jul 1, 2016 at 3:16 PM, Daniel Jurgens <danielj@xxxxxxxxxxxx> wrote: >>> On 7/1/2016 1:59 PM, Paul Moore wrote: >>>> On Fri, Jul 1, 2016 at 2:21 PM, Daniel Jurgens <danielj@xxxxxxxxxxxx> wrote: >>>>> On 7/1/2016 11:29 AM, Paul Moore wrote: >>>>>> I wondered about this earlier in the patchset when we were discussing >>>>>> the policy format, and I'm still wondering; perhaps you can help me >>>>>> understand IB a bit better ... >>>>>> >>>>>> From what I gather, the partition key is the IB security boundary, not >>>>>> the subnet, is that true? If so, why are we including the subnet with >>>>>> the partition key value/label? I understand the low/high pkey range >>>>>> as a way of simplifying the policy, but I don't quite understand the >>>>>> point of tying the subnet to the partition key label. Would you ever >>>>>> want to have multiple labels for a single partition key, or should it >>>>>> be a single label for the partition key regardless of the subnet? >>>>>> >>>>> Each subnet can have a different partition configuration and a node can be on multiple subnets. By specifying the subnet prefix along with the pkey value the user has flexibility to have different policy for different subnets, instead of a global PKey space that would require coordinating the partition configuration across all subnets. >>>> Perhaps a better explanation of partitions and subnets are in order, >>>> especially for those of like me who are new to IB. >>>> >>> A subnet is a set of ports managed by a common subnet manager, which sets up the partition configuration. >> So there can be multiple partitions inside a subnet and not multiple >> subnets inside a partition? > > Yes, a each subnet can have many partitions. The partitions are contained within that subnet, a different subnet can have a partition that uses same PKey value, but that's a different partition. So if we have 2 subnets, fe80:: and fe81:: they can each have a partition that uses PKey X but it doesn't mean nodes with access to that partition on 0xfe80 can reach nodes on 0xfe81 on that partition. Thanks, that clears things up. Originally I thought it was the other way around which we causing a lot of confusion on my part. -- paul moore security @ redhat _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
