On 04/08/2014 04:40 AM, dE wrote: > As I read in the SELinux docs, each subject and object is assigned a > unique SID; when using the selinux libraries, or using the SELinux > kernel API the programs are expected to request the security server > decisions for a particular subject and object by passing the subject and > object's SID to the security server. > > Question is -- is SID created when an SELinux enabled kernel boots or > just when a SELinux enabled program requests an SID for a subject/object > from the kernel? > > Also can I see a process's and file's SID via some program? Except for a small set of predefined initial SIDs (used for bootstrapping before policy is loaded), SIDs are dynamically allocated on demand for security contexts when they are first used. The kernel does not expose its SIDs to userspace; all of the userspace APIs provided by the kernel pass security contexts instead; see: http://www.nsa.gov/research/_files/selinux/papers/module/x362.shtml However, libselinux does provide a userspace SID abstraction for users of the userspace AVC implementation (man avc_context_to_sid). Those SIDs are likewise dynamically allocated on demand for security contexts when they are first used, but are merely local references to the security context; that mapping is per-process and has no global meaning.
