On Thu, Sep 08, 2016 at 01:32:35PM -0600, Jason Gunthorpe wrote: > On Thu, Sep 08, 2016 at 06:59:13PM +0000, Daniel Jurgens wrote: > > > >> Net has variety of means of enforcement, one of which is controlling > > >> access to ports <tcp/udp,port number>, which is the most like what > > >> I'm doing here. > > > No, the analog the tcp/udp,port number is <ib, service_id> > > > I should have been clearer here. From the SELinux perspective this > > scheme is very similar to net ports. > > It really isn't. net ports and service_ids are global things that do > not need machine-specific customizations while subnet prefix or device > name/port are both machine-local information. I agree that service_ids are more analogous to net ports. However, subnet prefixes are _not_ machine-local. They are controlled by the Admin of the fabric by a central entity (the SM). This is more helpful than in ethernet where if you configure the wrong port with the wrong subnet things just don't work. In IB I can physically plug my network into any IB port I want and the system is _told_ which "subnet" that port belongs to. (OPA is the same way.) So for IB/OPA a subnet prefix is a really good way to ID which network (subnet) you want to use. Unfortunately, I'm not sure how to translate that to iwarp/roce seamlessly except to have some concept of "domain" as I mentioned in my other email. Ira _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
