From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jason Gunthorpe Subject: Re: [PATCH v3 0/9] SELinux support for Infiniband RDMA Date: Thu, 1 Sep 2016 10:34:18 -0600 Message-ID: <20160901163418.GA6479@obsidianresearch.com> References: <20160830074607.GN594@leon.nu> <20160830184633.GE7586@obsidianresearch.com> <20160830185548.GA9768@obsidianresearch.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: Content-Disposition: inline In-Reply-To: Sender: owner-linux-security-module@vger.kernel.org To: Daniel Jurgens Cc: Paul Moore , Leon Romanovsky , "chrisw@sous-sol.org" , Stephen Smalley , Eric Paris , "dledford@redhat.com" , "sean.hefty@intel.com" , "hal.rosenstock@gmail.com" , "selinux@tycho.nsa.gov" , "linux-security-module@vger.kernel.org" , "linux-rdma@vger.kernel.org" , Yevgeny Petrilin List-Id: linux-rdma@vger.kernel.org On Tue, Aug 30, 2016 at 07:10:12PM +0000, Daniel Jurgens wrote: > On 8/30/2016 1:56 PM, Jason Gunthorpe wrote: > > > > Are subsystems usually SELinux enabled in such a piecemeal way? > > > > Are you sure the 'partition' SELinux label should not be more general > > to cover more of the similar RDMA cases? > In order to label something you have to be able to describe > something unique about an instance of it, like a Subnet Prefix/PKey > value pair. What other thing could we label more generally to > control access to a partition/VLAN? IP prefix / vlan #? How does it work in net? Shouldn't you at least have a plan for how this will expand to cover the whole subsystem?? Jason