On 04/11/2014 02:45 AM, dE wrote: > Does the object manager always queries the security server based on > classes? And does the security server always respond with an access vector? > > OR > > Can the object manager query the security server on specific permissions > (which make up a class) without querying for a response for the whole > security class? The security server interface is security_compute_av(), which always computes the entire access vector for the class. Object managers however will typically call the Access Vector Cache (AVC) interface avc_has_perm(), which checks particular permissions. Internally, the AVC calls security_compute_av() if the access vector is not already cached for the (source context, target context, target class) triple and caches the result. More recent work on userspace object managers has introduced a higher level API, selinux_check_access(), which internally handles the mapping of contexts to SIDs and the mapping of class and permission strings to values and calls avc_has_perm(). All of these APIs are provided by libselinux and have corresponding man pages.
