On Thu, Sep 08, 2016 at 01:32:35PM -0600, Jason Gunthorpe wrote:
> On Thu, Sep 08, 2016 at 06:59:13PM +0000, Daniel Jurgens wrote:
> > >> Net has variety of means of enforcement, one of which is controlling
> > >> access to ports <tcp/udp,port number>, which is the most like what
> > >> I'm doing here.
> > > No, the analog the tcp/udp,port number is <ib, service_id> 
> > I should have been clearer here.  From the SELinux perspective this
> > scheme is very similar to net ports.
> It really isn't. net ports and service_ids are global things that do
> not need machine-specific customizations while subnet prefix or device
> name/port are both machine-local information.

I agree that service_ids are more analogous to net ports.

However, subnet prefixes are _not_ machine-local.  They are controlled by the
Admin of the fabric by a central entity (the SM).  This is more helpful than in
ethernet where if you configure the wrong port with the wrong subnet things
just don't work.  In IB I can physically plug my network into any IB port I
want and the system is _told_ which "subnet" that port belongs to.  (OPA is the
same way.)

So for IB/OPA a subnet prefix is a really good way to ID which network (subnet)
you want to use.  Unfortunately, I'm not sure how to translate that to
iwarp/roce seamlessly except to have some concept of "domain" as I mentioned in
my other email.


Selinux mailing list
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Reply via email to