On Thu, Sep 08, 2016 at 01:32:35PM -0600, Jason Gunthorpe wrote:
> On Thu, Sep 08, 2016 at 06:59:13PM +0000, Daniel Jurgens wrote:
> > >> Net has variety of means of enforcement, one of which is controlling
> > >> access to ports <tcp/udp,port number>, which is the most like what
> > >> I'm doing here.
> > > No, the analog the tcp/udp,port number is <ib, service_id>
> > I should have been clearer here. From the SELinux perspective this
> > scheme is very similar to net ports.
> It really isn't. net ports and service_ids are global things that do
> not need machine-specific customizations while subnet prefix or device
> name/port are both machine-local information.
I agree that service_ids are more analogous to net ports.
However, subnet prefixes are _not_ machine-local. They are controlled by the
Admin of the fabric by a central entity (the SM). This is more helpful than in
ethernet where if you configure the wrong port with the wrong subnet things
just don't work. In IB I can physically plug my network into any IB port I
want and the system is _told_ which "subnet" that port belongs to. (OPA is the
So for IB/OPA a subnet prefix is a really good way to ID which network (subnet)
you want to use. Unfortunately, I'm not sure how to translate that to
iwarp/roce seamlessly except to have some concept of "domain" as I mentioned in
my other email.
Selinux mailing list
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.