From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jason Gunthorpe Subject: Re: [PATCH v3 0/9] SELinux support for Infiniband RDMA Date: Thu, 8 Sep 2016 10:19:48 -0600 Message-ID: <20160908161948.GA21614@obsidianresearch.com> References: <20160830185548.GA9768@obsidianresearch.com> <20160901163418.GA6479@obsidianresearch.com> <20160906200221.GE28416@obsidianresearch.com> <20160906215548.GA27225@obsidianresearch.com> <20160908000134.GC4515@phlsvsds.ph.intel.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: Content-Disposition: inline In-Reply-To: Sender: owner-linux-security-module@vger.kernel.org To: Daniel Jurgens Cc: "ira.weiny" , Liran Liss , Paul Moore , Leon Romanovsky , "chrisw@sous-sol.org" , Stephen Smalley , Eric Paris , "dledford@redhat.com" , "sean.hefty@intel.com" , "hal.rosenstock@gmail.com" , "selinux@tycho.nsa.gov" , "linux-security-module@vger.kernel.org" , "linux-rdma@vger.kernel.org" , Yevgeny Petrilin List-Id: linux-rdma@vger.kernel.org On Thu, Sep 08, 2016 at 02:12:48PM +0000, Daniel Jurgens wrote: > It would have to include the port, but idea of using a device name > for this is pretty ugly. makes it very easy to > write a policy that can be deployed widely. > could require many different policies depending on the configuration > of each machine. What does net do? Should we have a way to unformly label the rdma ports? How do you imagine these policies working anyhow? They cannot be shipped from a distro. Are these going to be labeled on filesystem objects? (how doe that work??) Or somehow injected when starting a container? If they are not written to disk I don't see the problem, the dynamic injector will have to figure out what interface is what. Jason