From: "ira.weiny" <ira.weiny@intel.com>
To: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Cc: Daniel Jurgens <danielj@mellanox.com>,
Liran Liss <liranl@mellanox.com>,
Paul Moore <paul@paul-moore.com>,
Leon Romanovsky <leon@kernel.org>,
"chrisw@sous-sol.org" <chrisw@sous-sol.org>,
Stephen Smalley <sds@tycho.nsa.gov>,
Eric Paris <eparis@parisplace.org>,
"dledford@redhat.com" <dledford@redhat.com>,
"sean.hefty@intel.com" <sean.hefty@intel.com>,
"hal.rosenstock@gmail.com" <hal.rosenstock@gmail.com>,
"selinux@tycho.nsa.gov" <selinux@tycho.nsa.gov>,
"linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>,
"linux-rdma@vger.kernel.org" <linux-rdma@vger.kernel.org>,
Yevgeny Petrilin <yevgenyp@mellanox.com>
Subject: Re: [PATCH v3 0/9] SELinux support for Infiniband RDMA
Date: Wed, 21 Sep 2016 12:16:27 -0400 [thread overview]
Message-ID: <20160921161626.GA27837@phlsvsds.ph.intel.com> (raw)
In-Reply-To: <20160908193235.GA1868@obsidianresearch.com>
On Thu, Sep 08, 2016 at 01:32:35PM -0600, Jason Gunthorpe wrote:
> On Thu, Sep 08, 2016 at 06:59:13PM +0000, Daniel Jurgens wrote:
>
> > >> Net has variety of means of enforcement, one of which is controlling
> > >> access to ports <tcp/udp,port number>, which is the most like what
> > >> I'm doing here.
> > > No, the analog the tcp/udp,port number is <ib, service_id>
>
> > I should have been clearer here. From the SELinux perspective this
> > scheme is very similar to net ports.
>
> It really isn't. net ports and service_ids are global things that do
> not need machine-specific customizations while subnet prefix or device
> name/port are both machine-local information.
I agree that service_ids are more analogous to net ports.
However, subnet prefixes are _not_ machine-local. They are controlled by the
Admin of the fabric by a central entity (the SM). This is more helpful than in
ethernet where if you configure the wrong port with the wrong subnet things
just don't work. In IB I can physically plug my network into any IB port I
want and the system is _told_ which "subnet" that port belongs to. (OPA is the
same way.)
So for IB/OPA a subnet prefix is a really good way to ID which network (subnet)
you want to use. Unfortunately, I'm not sure how to translate that to
iwarp/roce seamlessly except to have some concept of "domain" as I mentioned in
my other email.
Ira
next prev parent reply other threads:[~2016-09-21 16:16 UTC|newest]
Thread overview: 79+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-29 13:53 [PATCH v3 0/9] SELinux support for Infiniband RDMA Dan Jurgens
2016-07-29 13:53 ` Dan Jurgens
2016-07-29 13:53 ` [PATCH v3 1/9] IB/core: IB cache enhancements to support Infiniband security Dan Jurgens
[not found] ` <1469800416-125043-1-git-send-email-danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
2016-07-29 13:53 ` [PATCH v3 2/9] IB/core: Enforce PKey security on QPs Dan Jurgens
2016-07-29 13:53 ` Dan Jurgens
2016-07-29 13:53 ` [PATCH v3 3/9] selinux lsm IB/core: Implement LSM notification system Dan Jurgens
2016-07-29 13:53 ` Dan Jurgens
[not found] ` <1469800416-125043-4-git-send-email-danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
2016-07-29 22:40 ` kbuild test robot
2016-07-29 22:40 ` kbuild test robot
2016-09-01 1:35 ` Paul Moore
2016-07-29 13:53 ` [PATCH v3 4/9] IB/core: Enforce security on management datagrams Dan Jurgens
2016-07-29 13:53 ` Dan Jurgens
2016-07-29 13:53 ` [PATCH v3 5/9] selinux: Create policydb version for Infiniband support Dan Jurgens
2016-07-29 13:53 ` Dan Jurgens
[not found] ` <1469800416-125043-6-git-send-email-danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
2016-09-01 1:39 ` Paul Moore
2016-09-01 1:39 ` Paul Moore
2016-07-29 13:53 ` [PATCH v3 9/9] selinux: Add a cache for quicker retreival of PKey SIDs Dan Jurgens
2016-07-29 13:53 ` Dan Jurgens
2016-07-29 13:53 ` [PATCH v3 6/9] selinux: Allocate and free infiniband security hooks Dan Jurgens
2016-07-29 13:53 ` [PATCH v3 7/9] selinux: Implement Infiniband PKey "Access" access vector Dan Jurgens
2016-07-29 13:53 ` [PATCH v3 8/9] selinux: Add IB Port SMP " Dan Jurgens
2016-08-29 21:40 ` [PATCH v3 0/9] SELinux support for Infiniband RDMA Paul Moore
2016-08-29 21:48 ` Daniel Jurgens
2016-08-30 0:00 ` Paul Moore
2016-08-30 7:46 ` Leon Romanovsky
2016-08-30 13:53 ` Paul Moore
2016-08-30 14:06 ` Daniel Jurgens
2016-08-30 14:06 ` Daniel Jurgens
[not found] ` <VI1PR0501MB242949202A1DA23E5C8E1E8AC4E00-o1MPJYiShEyB6Z+oivrBG8DSnupUy6xnnBOFsp37pqbUKgpGm//BTAC/G2K4zDHf@public.gmane.org>
2016-08-30 15:01 ` Leon Romanovsky
2016-08-30 15:01 ` Leon Romanovsky
2016-08-30 18:46 ` Jason Gunthorpe
2016-08-30 18:52 ` Daniel Jurgens
2016-08-30 18:52 ` Daniel Jurgens
2016-08-30 18:55 ` Jason Gunthorpe
2016-08-30 19:10 ` Daniel Jurgens
2016-08-30 19:10 ` Daniel Jurgens
2016-09-01 16:34 ` Jason Gunthorpe
[not found] ` <20160901163418.GA6479-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2016-09-01 18:06 ` Paul Moore
2016-09-01 18:06 ` Paul Moore
2016-09-06 20:02 ` Jason Gunthorpe
2016-09-06 20:35 ` Daniel Jurgens
2016-09-06 20:35 ` Daniel Jurgens
2016-09-06 21:55 ` Jason Gunthorpe
2016-09-08 0:01 ` ira.weiny
2016-09-08 14:12 ` Daniel Jurgens
2016-09-08 14:12 ` Daniel Jurgens
2016-09-08 16:19 ` Jason Gunthorpe
2016-09-08 16:44 ` Daniel Jurgens
2016-09-08 16:44 ` Daniel Jurgens
2016-09-08 18:36 ` Jason Gunthorpe
2016-09-08 18:59 ` Daniel Jurgens
2016-09-08 18:59 ` Daniel Jurgens
2016-09-08 19:32 ` Jason Gunthorpe
2016-09-21 16:16 ` ira.weiny [this message]
[not found] ` <20160921161626.GA27837-W4f6Xiosr+yv7QzWx2u06xL4W9x8LtSr@public.gmane.org>
2016-09-22 15:04 ` Liran Liss
2016-09-22 15:04 ` Liran Liss
[not found] ` <20160908161948.GA21614-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2016-09-08 19:14 ` ira.weiny
2016-09-08 19:14 ` ira.weiny
2016-09-08 19:35 ` Jason Gunthorpe
2016-09-15 1:52 ` ira.weiny
[not found] ` <DB6PR0501MB2422EA34EED4EE35EE7B1D28C4FB0-wTfl6qNNZ1ODMMyMbWtEF8DSnupUy6xnnBOFsp37pqbUKgpGm//BTAC/G2K4zDHf@public.gmane.org>
2016-09-08 17:47 ` Liran Liss
2016-09-08 17:47 ` Liran Liss
2016-09-08 18:37 ` Jason Gunthorpe
2016-09-08 19:01 ` Daniel Jurgens
2016-09-08 19:01 ` Daniel Jurgens
2016-09-08 18:34 ` ira.weiny
2016-09-20 23:43 ` Paul Moore
2016-09-23 13:26 ` Daniel Jurgens
2016-09-23 13:26 ` Daniel Jurgens
[not found] ` <VI1PR0501MB24299E036F1FCD335A2C2049C4C80-o1MPJYiShEyB6Z+oivrBG8DSnupUy6xnnBOFsp37pqbUKgpGm//BTAC/G2K4zDHf@public.gmane.org>
2016-09-29 22:16 ` Paul Moore
2016-09-29 22:16 ` Paul Moore
[not found] ` <CAHC9VhShCgxonV1rN-J7LyezamzZtKNZ1SR7ywnTB9Kgia_u1w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-09-29 22:41 ` Jason Gunthorpe
2016-09-29 22:41 ` Jason Gunthorpe
2016-09-30 19:59 ` Paul Moore
[not found] ` <CAHC9VhTBW9VsMHag41x1GWUbwPQeLngi8_iq9CPuQ=UMxDebkg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-09-30 20:46 ` Jason Gunthorpe
2016-09-30 20:46 ` Jason Gunthorpe
2016-09-26 18:17 ` Jason Gunthorpe
[not found] ` <20160830074607.GN594-2ukJVAZIZ/Y@public.gmane.org>
2016-08-30 15:02 ` Or Gerlitz
2016-08-30 15:02 ` Or Gerlitz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160921161626.GA27837@phlsvsds.ph.intel.com \
--to=ira.weiny@intel.com \
--cc=chrisw@sous-sol.org \
--cc=danielj@mellanox.com \
--cc=dledford@redhat.com \
--cc=eparis@parisplace.org \
--cc=hal.rosenstock@gmail.com \
--cc=jgunthorpe@obsidianresearch.com \
--cc=leon@kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=liranl@mellanox.com \
--cc=paul@paul-moore.com \
--cc=sds@tycho.nsa.gov \
--cc=sean.hefty@intel.com \
--cc=selinux@tycho.nsa.gov \
--cc=yevgenyp@mellanox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.