Transient and Persistent Objects
Two kinds of objects exist within a Linux system: transient objects and persistent objects. A transient object has a quite limited lifetime, often existing merely as a data structure within kernel space. A process is the most common kind of transient object. SELinux can directly associate an SID with a transient object by keeping a memory-resident table that maps transient object identities to SIDs and thence to security contexts.
In contrast to transient objects, a persistent object has an indefinite lifetime. The most common persistent objects are files and directories. Because persistent objects, once created, generally exist until they’re destroyed, a persistent object may exist across several system startups. Thus, a memory-resident table can’t be used to associate persistent objects with their SIDs, because the contents of memory-resident tables are lost at system startup. Therefore, associating a persistent object with its security context is somewhat complicated.
In general, persistent objects are associated with Linux filesystems,
which can be used to store their security contexts. Several Linux
filesystem types, including the standard ext2
and
ext3
filesystem types, provide an extended
attribute feature that can be enabled during compilation of a Linux
kernel. SELinux uses the extended attribute to store
persistent security identifiers (PSIDs) on the filesystem. SELinux uses memory-resident tables to map PSIDs to SIDs, and thence to security ...
Get SELinux now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.