From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jason Gunthorpe Subject: Re: [PATCH v3 0/9] SELinux support for Infiniband RDMA Date: Tue, 30 Aug 2016 12:55:48 -0600 Message-ID: <20160830185548.GA9768@obsidianresearch.com> References: <1469800416-125043-1-git-send-email-danielj@mellanox.com> <20160830074607.GN594@leon.nu> <20160830184633.GE7586@obsidianresearch.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: Content-Disposition: inline In-Reply-To: Sender: owner-linux-security-module@vger.kernel.org To: Daniel Jurgens Cc: Paul Moore , Leon Romanovsky , "chrisw@sous-sol.org" , Stephen Smalley , Eric Paris , "dledford@redhat.com" , "sean.hefty@intel.com" , "hal.rosenstock@gmail.com" , "selinux@tycho.nsa.gov" , "linux-security-module@vger.kernel.org" , "linux-rdma@vger.kernel.org" , Yevgeny Petrilin List-Id: linux-rdma@vger.kernel.org On Tue, Aug 30, 2016 at 06:52:28PM +0000, Daniel Jurgens wrote: > On 8/30/2016 1:46 PM, Jason Gunthorpe wrote: > > On Tue, Aug 30, 2016 at 02:06:53PM +0000, Daniel Jurgens wrote: > > > >> I don't this will be useful, RoCE doesn't have partitions/PKeys > >> because it uses Ethernet as the transport instead of Infiniband. > > The vlan stuff in roce should be just as restricted as the pkey is in > > IB.... > This patch set introduces a mechanism for controlling access to > Infiniband partitions. If someone is interested in writing SELinux > tests regarding RoCE and VLANs then RXE may very well be useful for > them. It just doesn't apply here. Are subsystems usually SELinux enabled in such a piecemeal way? Are you sure the 'partition' SELinux label should not be more general to cover more of the similar RDMA cases? Jason