Two kinds of objects exist within a Linux system: transient objects and persistent objects. A transient object has a quite limited lifetime, often existing merely as a data structure within kernel space. A process is the most common kind of transient object. SELinux can directly associate an SID with a transient object by keeping a memory-resident table that maps transient object identities to SIDs and thence to security contexts.

In contrast to transient objects, a persistent object has an indefinite lifetime. The most common persistent objects are files and directories. Because persistent objects, once created, generally exist until they’re destroyed, a persistent object may exist across several system startups. Thus, a memory-resident table can’t be used to associate persistent objects with their SIDs, because the contents of memory-resident tables are lost at system startup. Therefore, associating a persistent object with its security context is somewhat complicated.

In general, persistent objects are associated with Linux filesystems, which can be used to store their security contexts. Several Linux filesystem types, including the standard ext2 and ext3 filesystem types, provide an extended attribute feature that can be enabled during compilation of a Linux kernel. SELinux uses the extended attribute to store persistent security identifiers (PSIDs) on the filesystem. SELinux uses memory-resident tables to map PSIDs to SIDs, and thence to security ...