Re: [PATCH v3 0/9] SELinux support for Infiniband RDMA

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Sep 08, 2016 at 01:35:12PM -0600, Jason Gunthorpe wrote:
> On Thu, Sep 08, 2016 at 03:14:57PM -0400, ira.weiny wrote:
> > On Thu, Sep 08, 2016 at 10:19:48AM -0600, Jason Gunthorpe wrote:
> > > On Thu, Sep 08, 2016 at 02:12:48PM +0000, Daniel Jurgens wrote:
> > > 
> > > > It would have to include the port, but idea of using a device name
> > > > for this is pretty ugly.  <subnet_prefix,pkey> makes it very easy to
> > > > write a policy that can be deployed widely.  <device,port,pkey/vlan>
> > > > could require many different policies depending on the configuration
> > > > of each machine.
> > > 
> > > What does net do? Should we have a way to unformly label the rdma ports?
> > 
> > Uniformly label them on the local node or across a cluster?
> 
> However we want. If the argument comes down to 'we stupidly choose to
> call our devices mlx5_0', then lets allow the admin rename that to
> 'rdma0' and a cluster wide config file will apply uniformly. This
> approach applies to all configuration related to rdma, not just
> SELinux.

I'm not sure I like the idea of trying to use "rdmaX".  It seems like this has
been a confusion point for things like drives and NICs in the past.  (Where the
order of device discovery is an issue.)

But I guess with more network types coming online we may have to have something
generic.

That said in the netdev world not all things are called eth0.  Some are called
wlanX, etc...

Does anyone know why do they have names based on network type?

So I could see where having a global "name" for a subnet would be nice...  But
isn't something like that called a domain name?  Does SELinux work in
conjunction with domain names in the netdev stack?

This may be a bit off topic but has anyone thought about adding GID specific
DNS record types?

I have experimented with just putting a GID in an IPv6 record and things I
tried work quite well.  Should we have a method to map a domain name to a
subnet prefix?

If the domain name mapped to a subnet prefix it would imply a set of port GIDs
on IB/OPA devices and if it mapped to an IPv4/v6 subnet it would be
iwarp/roce/usnic.

For this series and others the kernel could continue to use the correct
"subnet" information and user space could translate as appropriate?

Would this series work looking at a "subnet prefix" of an IPv6 address in RoCE?

Ira

_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.



[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux