Re: [PATCH v3 0/9] SELinux support for Infiniband RDMA
On Thu, Sep 08, 2016 at 10:19:48AM -0600, Jason Gunthorpe wrote: > On Thu, Sep 08, 2016 at 02:12:48PM +, Daniel Jurgens wrote: > > > It would have to include the port, but idea of using a device name > > for this is pretty ugly.makes it very easy to > > write a policy that can be deployed widely. > > could require many different policies depending on the configuration > > of each machine. > > What does net do? Should we have a way to unformly label the rdma ports? Uniformly label them on the local node or across a cluster? I think Daniel has a point here. Given a node with multiple device/ports using the local device names is IMO wrong. > > How do you imagine these policies working anyhow? They cannot be > shipped from a distro. Are these going to be labeled on filesystem > objects? (how doe that work??) Or somehow injected when starting a > container? > > If they are not written to disk I don't see the problem, the dynamic > injector will have to figure out what interface is what. Who is the "dynamic injector"? Ira > > Jason ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: [PATCH v3 0/9] SELinux support for Infiniband RDMA
On Thu, Sep 08, 2016 at 02:12:48PM +, Daniel Jurgens wrote: > On 9/7/2016 7:01 PM, ira.weiny wrote: > > On Tue, Sep 06, 2016 at 03:55:48PM -0600, Jason Gunthorpe wrote: > >> On Tue, Sep 06, 2016 at 08:35:56PM +, Daniel Jurgens wrote: > >> > >>> I think to control access to a VLAN for RoCE there would have to > >>> labels for GIDs, since that's how you select which VLAN to use. > >> Since people are talking about using GIDs for containers adding a GID > >> constraint for all technologies makes sense to me.. > >> > >> But rocev1 (at least mlx4) does not use vlan ids from the GID, the > >> vlan id is set directly in the id, so it still seems to need direct > >> containment. I also see vlan related stuff in the iwarp providers, so > >> they probably have a similar requirement. > >> > >>> required. RDMA device handle labeling isn't granular enough for > >>> what I'm trying to accomplish. We want users with different levels > >>> of permission to be able to use the same device, but restrict who > >>> they can communicate with by isolating them to separate partitions. > >> Sure, but maybe you should use the (device handle:pkey/vlan_id) as your > >> labeling tuple not (Subnet Prefix, pkey) > > Would "device handle" here specify the port? > > > > Ira > > It would have to include the port, but idea of using a device name for this > is pretty ugly. <subnet_prefix,pkey> makes it very easy to write a policy > that can be deployed widely. <device,port,pkey/vlan> could require many > different policies depending on the configuration of each machine. > I agree that this seems weird. Using the Subnet prefix seems much safer in an IB/OPA environment. That would be my vote. Unfortunately I don't have enough knowledge of the net stat to know how this would work with RoCE or iWarp. > I've added Liran Liss, he devised the approach that's implemented. This > would be a pretty big change, with worse usability so I'd like to get his > feedback. > Sounds good, Ira ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: [PATCH v3 0/9] SELinux support for Infiniband RDMA
On Tue, Sep 06, 2016 at 03:55:48PM -0600, Jason Gunthorpe wrote: > On Tue, Sep 06, 2016 at 08:35:56PM +, Daniel Jurgens wrote: > > > I think to control access to a VLAN for RoCE there would have to > > labels for GIDs, since that's how you select which VLAN to use. > > Since people are talking about using GIDs for containers adding a GID > constraint for all technologies makes sense to me.. > > But rocev1 (at least mlx4) does not use vlan ids from the GID, the > vlan id is set directly in the id, so it still seems to need direct > containment. I also see vlan related stuff in the iwarp providers, so > they probably have a similar requirement. > > > required. RDMA device handle labeling isn't granular enough for > > what I'm trying to accomplish. We want users with different levels > > of permission to be able to use the same device, but restrict who > > they can communicate with by isolating them to separate partitions. > > Sure, but maybe you should use the (device handle:pkey/vlan_id) as your > labeling tuple not (Subnet Prefix, pkey) Would "device handle" here specify the port? Ira > > Jason > -- > To unsubscribe from this list: send the line "unsubscribe linux-rdma" in > the body of a message to majord...@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.