Re: Changing unlabeled_t on files to invalid_label_t.

[Paul Moore <paul@paul-moore.com>]

On Friday, January 10, 2014 12:52:18 PM Dominick Grift wrote:
> On Thu, 2014-01-09 at 19:23 -0500, Paul Moore wrote:
> > Don't forget that a sid, including the initial sids, represents a full
> > label/context.
> 
> Yes sorry, I will try to keep that in mind.

No worries, the terminology here has always been a bit messy ...

> I use the terminology a bit different since i do not look at it from a
> code perspective.
> 
> To me a sid is just what the name suggests: a security identifier.
> 
> user_u -> identity security identifier
> role_r -> role security identifier
> type_t -> type security identifier
> s0 -> sensitivity security identifier
> c0 -> compartment security identifier

Perhaps this is the difference between someone who works on policy versus 
someone who works with the SELinux code :)

>From my point of view, a security label is pretty much an opaque blob most of 
the time.  While there are different "fields" (what I choose to call the user, 
role, type, and MLS information), security decisions are made based on the 
label as a whole, not individual fields.

I also tend to cringe a bit when I hear the term "sid" used outside the 
context of kernel patch.  A sid is really just a private convenience item used 
by the kernel to make it easier and faster to pass around labels.  In my mind 
the term "sid" should never be used outside kernel patch discussions.

> I guess from that perspective i would probably also refer to for example
> traditional uids as sids.
> 
> uid=1000(joe)

Argh, please no ... we have enough three letter acronyms floating around this 
place, that last thing we want is to start swapping them around! :)

> key/value pairs, were the key ("uid") is a security attribute and the
> value (1000/(joe)) is a/are security identifier(s)

I see your point, but a UID is such a fundamental term and has a widely 
accepted definition, I think calling it a sid is only going to be a problem.

> I know its probably technically incorrect. I have the same thing with
> the term domain.
> 
> I use that term in a different context than everyone else. What you call
> a domain i call a domain type.

Technically a domain is a type ...

> To me a particular domain encapsulates all rules associated with a
> particular domain type

This to me isn't a major difference.  I suppose it is similar to the 
difference between a word itself and what that word represents.

-- 
paul moore
www.paul-moore.com