SELinux and SID

SELinux and SID

[Mario Fanelli]

[-- Attachment #1: Type: text/plain, Size: 255 bytes --]

I read that SELinux uses extended attributes to maintain SID/file mapping,
but I have a Fedora Core 5 with an ext3 filesystem but if I use getfattr
command on any file I don't obtain nothing that resembles SID. Am I wrong?

Where does SELinux store SID?


[-- Attachment #2: Type: text/html, Size: 1497 bytes --]

Re: SELinux and SID

[Joshua Brindle]

Mario Fanelli wrote:
>
> I read that SELinux uses extended attributes to maintain SID/file 
> mapping, but I have a Fedora Core 5 with an ext3 filesystem but if I 
> use getfattr command on any file I don’t obtain nothing that resembles 
> SID. Am I wrong?
>
> Where does SELinux store SID?
>
You have to tell it what attribute name you want

$ getfattr -n security.selinux .
# file: .
security.selinux="system_u:object_r:root_t:s0\000"



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux and SID

[Stephen Smalley]

On Tue, 2006-05-30 at 08:19 -0400, Joshua Brindle wrote:
> Mario Fanelli wrote:
> >
> > I read that SELinux uses extended attributes to maintain SID/file 
> > mapping, but I have a Fedora Core 5 with an ext3 filesystem but if I 
> > use getfattr command on any file I don’t obtain nothing that resembles 
> > SID. Am I wrong?
> >
> > Where does SELinux store SID?
> >
> You have to tell it what attribute name you want
> 
> $ getfattr -n security.selinux .
> # file: .
> security.selinux="system_u:object_r:root_t:s0\000"

Note btw that security context strings are stored on the filesystem, not
the (non-persistent non-global) SIDs (which are only stored in the
in-core inodes).  Older versions of SELinux (pre-2.6) stored a separate
persistent SID in the on-disk inodes (with a per-fs mapping from
persistent SIDs to contexts), but that was eliminated when we migrated
to using xattrs.

getfattr only displays attributes in the user namespace by default.  To
display all attributes on a file, you'd do something like:
$ getfattr -m "" -d /path/to/file

Or to see attribute in just the security namespace:
$ getfattr -m "^security" -d /path/to/file

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

R: SELinux and SID

[Mario Fanelli]

>
>
> -----Messaggio originale-----
> Da: Stephen Smalley [mailto:sds@tycho.nsa.gov] 
> Inviato: Tuesday, May 30, 2006 5:41 PM
> A: Joshua Brindle
> Cc: Mario Fanelli; SeLinux Mailing List
> Oggetto: Re: SELinux and SID
>
> On Tue, 2006-05-30 at 08:19 -0400, Joshua Brindle wrote:
> > Mario Fanelli wrote:
> > >
> > > I read that SELinux uses extended attributes to maintain SID/file 
> > > mapping, but I have a Fedora Core 5 with an ext3 filesystem but if I 
> > >  use getfattr command on any file I don't obtain nothing thatresembles

> > > SID. Am I wrong?
> > >
> > > Where does SELinux store SID?
> > >
> > You have to tell it what attribute name you want
> > 
> > $ getfattr -n security.selinux .
> > # file: .
> > security.selinux="system_u:object_r:root_t:s0\000"
>
> Note btw that security context strings are stored on the filesystem, not
> the (non-persistent non-global) SIDs (which are only stored in the
> in-core inodes).  Older versions of SELinux (pre-2.6) stored a separate
> persistent SID in the on-disk inodes (with a per-fs mapping from
> persistent SIDs to contexts), but that was eliminated when we migrated
> to using xattrs.
>
> getfattr only displays attributes in the user namespace by default.  To
> display all attributes on a file, you'd do something like:
> $ getfattr -m "" -d /path/to/file
>
> Or to see attribute in just the security namespace:
> $ getfattr -m "^security" -d /path/to/file
>
> -- 
> Stephen Smalley
> National Security Agency
> --

But are the SID invalidate to any reboot? If two object have the same
security context, SID are equals?


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: R: SELinux and SID

[Stephen Smalley]

On Tue, 2006-05-30 at 18:40 +0200, Mario Fanelli wrote:
> But are the SID invalidate to any reboot? If two object have the same
> security context, SID are equals?

A SID is an integer that refers to a security context.  SIDs are
dynamically allocated on demand, although there are a few preallocated
ones for initialization.  SIDs are not exported by the kernel to
userspace; they are purely an in-kernel abstraction.  Userspace object
managers that need to enforce policy over their own objects and
operations can also have their own private SID tables (supported by
libselinux, as part of the userspace AVC).

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.