On Thu, Sep 08, 2016 at 10:19:48AM -0600, Jason Gunthorpe wrote: > On Thu, Sep 08, 2016 at 02:12:48PM +0000, Daniel Jurgens wrote: > > > It would have to include the port, but idea of using a device name > > for this is pretty ugly. <subnet_prefix,pkey> makes it very easy to > > write a policy that can be deployed widely. <device,port,pkey/vlan> > > could require many different policies depending on the configuration > > of each machine. > > What does net do? Should we have a way to unformly label the rdma ports? Uniformly label them on the local node or across a cluster? I think Daniel has a point here. Given a node with multiple device/ports using the local device names is IMO wrong. > > How do you imagine these policies working anyhow? They cannot be > shipped from a distro. Are these going to be labeled on filesystem > objects? (how doe that work??) Or somehow injected when starting a > container? > > If they are not written to disk I don't see the problem, the dynamic > injector will have to figure out what interface is what. Who is the "dynamic injector"? Ira > > Jason _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
