Re: The purpose of SID.

[dE <de.techno@gmail.com>]

On 04/08/14 17:47, Stephen Smalley wrote:
> On 04/08/2014 08:16 AM, Stephen Smalley wrote:
>> On 04/08/2014 04:40 AM, dE wrote:
>>> As I read in the SELinux docs, each subject and object is assigned a
>>> unique SID; when using the selinux libraries, or using the SELinux
>>> kernel API the programs are expected to request the security server
>>> decisions for a particular subject and object by passing the subject and
>>> object's SID to the security server.
>>>
>>> Question is -- is SID created when an SELinux enabled kernel boots or
>>> just when a SELinux enabled program requests an SID for a subject/object
>>> from the kernel?
>>>
>>> Also can I see a process's and file's SID via some program?
>> Except for a small set of predefined initial SIDs (used for
>> bootstrapping before policy is loaded), SIDs are dynamically allocated
>> on demand for security contexts when they are first used.
>>
>> The kernel does not expose its SIDs to userspace; all of the userspace
>> APIs provided by the kernel pass security contexts instead; see:
>> http://www.nsa.gov/research/_files/selinux/papers/module/x362.shtml
>>
>> However, libselinux does provide a userspace SID abstraction for users
>> of the userspace AVC implementation (man avc_context_to_sid).  Those
>> SIDs are likewise dynamically allocated on demand for security contexts
>> when they are first used, but are merely local references to the
>> security context; that mapping is per-process and has no global meaning.
> Also, SIDs are not unique per subject/object but rather per security
> context.
>
>

It doesn't make sense to give each subject and object unique SID cause 
the security server doesn't have to do anything with individual subject 
and object instead it has to do with the security context.

That clears things up. Thanks!