On 9/8/2016 1:36 PM, Jason Gunthorpe wrote: > On Thu, Sep 08, 2016 at 04:44:36PM +0000, Daniel Jurgens wrote: > >> Net has variety of means of enforcement, one of which is controlling >> access to ports <tcp/udp,port number>, which is the most like what >> I'm doing here. > No, the analog the tcp/udp,port number is <ib, service_id> I should have been clearer here. From the SELinux perspective this scheme is very similar to net ports. >> It will work like any other SELinux policy. You label the things >> you want to control with a type and setup rules about which >> roles/types can interact with them and how. I'm sure the default >> policy from distros will be to not restrict access. Policy is >> loaded into the kernel, the disk and filesystem has nothing to do > Eh? I thought the main utility of selinux was using the labels written > to the filesystem to constrain access, eg I might label > /usr/bin/apache in a way that gets the <tcp,80> policy applied to it. Filesystems can be labeled, but so can other things without a filesystem representation. >> with this aside from it being where the policy is stored before >> being loaded. What is this dynamic injector you are talking about? > The container projects (eg docker) somehow setup selinux on the > fly for each container. I'm not sure how. SELinux policy is modular and can be changed or updated while running, I'm not very familiar with docker so I'm not sure what they do regarding SELinux. I'm also not sure it's relevant to the issues at hand. > >> Assume you have machines on one subnet (0xfe80::) one has a device >> called mlx5_0, the another mlx4_0 and you want to grant access to >> system administrators. > So do this in userspace? Why should the kernel do the translation? I'm still not clear on what translation you are talking about. To look up a label for something the kernel uses the same attributes the policy writer used to create the label. In this patch set when modify_qp is called there is a search of all the labels for pkeys for one that matches subnet prefix for the relevant port and the pkey number. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
