On Tue, Sep 06, 2016 at 08:35:56PM +0000, Daniel Jurgens wrote: > I think to control access to a VLAN for RoCE there would have to > labels for GIDs, since that's how you select which VLAN to use. Since people are talking about using GIDs for containers adding a GID constraint for all technologies makes sense to me.. But rocev1 (at least mlx4) does not use vlan ids from the GID, the vlan id is set directly in the id, so it still seems to need direct containment. I also see vlan related stuff in the iwarp providers, so they probably have a similar requirement. > required. RDMA device handle labeling isn't granular enough for > what I'm trying to accomplish. We want users with different levels > of permission to be able to use the same device, but restrict who > they can communicate with by isolating them to separate partitions. Sure, but maybe you should use the (device handle:pkey/vlan_id) as your labeling tuple not (Subnet Prefix, pkey) Jason _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
