The purpose of SID.

The purpose of SID.

[dE]

As I read in the SELinux docs, each subject and object is assigned a 
unique SID; when using the selinux libraries, or using the SELinux 
kernel API the programs are expected to request the security server 
decisions for a particular subject and object by passing the subject and 
object's SID to the security server.

Question is -- is SID created when an SELinux enabled kernel boots or 
just when a SELinux enabled program requests an SID for a subject/object 
from the kernel?

Also can I see a process's and file's SID via some program?

Re: The purpose of SID.

[Stephen Smalley]

On 04/08/2014 04:40 AM, dE wrote:
> As I read in the SELinux docs, each subject and object is assigned a
> unique SID; when using the selinux libraries, or using the SELinux
> kernel API the programs are expected to request the security server
> decisions for a particular subject and object by passing the subject and
> object's SID to the security server.
> 
> Question is -- is SID created when an SELinux enabled kernel boots or
> just when a SELinux enabled program requests an SID for a subject/object
> from the kernel?
> 
> Also can I see a process's and file's SID via some program?

Except for a small set of predefined initial SIDs (used for
bootstrapping before policy is loaded), SIDs are dynamically allocated
on demand for security contexts when they are first used.

The kernel does not expose its SIDs to userspace; all of the userspace
APIs provided by the kernel pass security contexts instead; see:
http://www.nsa.gov/research/_files/selinux/papers/module/x362.shtml

However, libselinux does provide a userspace SID abstraction for users
of the userspace AVC implementation (man avc_context_to_sid).  Those
SIDs are likewise dynamically allocated on demand for security contexts
when they are first used, but are merely local references to the
security context; that mapping is per-process and has no global meaning.

Re: The purpose of SID.

[Stephen Smalley]

On 04/08/2014 08:16 AM, Stephen Smalley wrote:
> On 04/08/2014 04:40 AM, dE wrote:
>> As I read in the SELinux docs, each subject and object is assigned a
>> unique SID; when using the selinux libraries, or using the SELinux
>> kernel API the programs are expected to request the security server
>> decisions for a particular subject and object by passing the subject and
>> object's SID to the security server.
>>
>> Question is -- is SID created when an SELinux enabled kernel boots or
>> just when a SELinux enabled program requests an SID for a subject/object
>> from the kernel?
>>
>> Also can I see a process's and file's SID via some program?
> 
> Except for a small set of predefined initial SIDs (used for
> bootstrapping before policy is loaded), SIDs are dynamically allocated
> on demand for security contexts when they are first used.
> 
> The kernel does not expose its SIDs to userspace; all of the userspace
> APIs provided by the kernel pass security contexts instead; see:
> http://www.nsa.gov/research/_files/selinux/papers/module/x362.shtml
> 
> However, libselinux does provide a userspace SID abstraction for users
> of the userspace AVC implementation (man avc_context_to_sid).  Those
> SIDs are likewise dynamically allocated on demand for security contexts
> when they are first used, but are merely local references to the
> security context; that mapping is per-process and has no global meaning.

Also, SIDs are not unique per subject/object but rather per security
context.

Re: The purpose of SID.

[dE]

On 04/08/14 17:47, Stephen Smalley wrote:
> On 04/08/2014 08:16 AM, Stephen Smalley wrote:
>> On 04/08/2014 04:40 AM, dE wrote:
>>> As I read in the SELinux docs, each subject and object is assigned a
>>> unique SID; when using the selinux libraries, or using the SELinux
>>> kernel API the programs are expected to request the security server
>>> decisions for a particular subject and object by passing the subject and
>>> object's SID to the security server.
>>>
>>> Question is -- is SID created when an SELinux enabled kernel boots or
>>> just when a SELinux enabled program requests an SID for a subject/object
>>> from the kernel?
>>>
>>> Also can I see a process's and file's SID via some program?
>> Except for a small set of predefined initial SIDs (used for
>> bootstrapping before policy is loaded), SIDs are dynamically allocated
>> on demand for security contexts when they are first used.
>>
>> The kernel does not expose its SIDs to userspace; all of the userspace
>> APIs provided by the kernel pass security contexts instead; see:
>> http://www.nsa.gov/research/_files/selinux/papers/module/x362.shtml
>>
>> However, libselinux does provide a userspace SID abstraction for users
>> of the userspace AVC implementation (man avc_context_to_sid).  Those
>> SIDs are likewise dynamically allocated on demand for security contexts
>> when they are first used, but are merely local references to the
>> security context; that mapping is per-process and has no global meaning.
> Also, SIDs are not unique per subject/object but rather per security
> context.
>
>

It doesn't make sense to give each subject and object unique SID cause 
the security server doesn't have to do anything with individual subject 
and object instead it has to do with the security context.

That clears things up. Thanks!