On Thu, Sep 08, 2016 at 06:59:13PM +0000, Daniel Jurgens wrote: > >> Net has variety of means of enforcement, one of which is controlling > >> access to ports <tcp/udp,port number>, which is the most like what > >> I'm doing here. > > No, the analog the tcp/udp,port number is <ib, service_id> > I should have been clearer here. From the SELinux perspective this > scheme is very similar to net ports. It really isn't. net ports and service_ids are global things that do not need machine-specific customizations while subnet prefix or device name/port are both machine-local information. > >> with this aside from it being where the policy is stored before > >> being loaded. What is this dynamic injector you are talking about? > > The container projects (eg docker) somehow setup selinux on the > > fly for each container. I'm not sure how. > SELinux policy is modular and can be changed or updated while > running, I'm not very familiar with docker so I'm not sure what they > do regarding SELinux. I'm also not sure it's relevant to the issues > at hand. docker and the like would seem to be the #1 user of this kind of feature, it goes hand in hand with the ipoib namespace work that does a similar (but less complete thing). This is a great way to create a container and constrain it to a single pkey/vlan/ipoib device, which would be the basic capability needed to sensibly rdma and containers together. This is why thinking about how to fully support the pkey/vlan concept across all the rdma drivers seems so critical. I'm surprised this isn't your use case. Again, I wish you'd think more broadly before designing new uapis. selinux enabling the rdma subsystem is a whole new uapi aspect for rdma that we have to live with forever. > >> called mlx5_0, the another mlx4_0 and you want to grant access to > >> system administrators. > > So do this in userspace? Why should the kernel do the translation? > I'm still not clear on what translation you are talking about. Converting the subnet prefix to a list of physical ports. Jason _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
