[prev in list] [next in list] [prev in thread] [next in thread] 

List:       selinux
Subject:    Re: SELinux and SID
From:       Stephen Smalley <sds () tycho ! nsa ! gov>
Date:       2006-05-30 15:40:52
Message-ID: 1149003652.524.64.camel () moss-spartans ! epoch ! ncsc ! mil
[Download RAW message or body]

On Tue, 2006-05-30 at 08:19 -0400, Joshua Brindle wrote:
> Mario Fanelli wrote:
> >
> > I read that SELinux uses extended attributes to maintain SID/file 
> > mapping, but I have a Fedora Core 5 with an ext3 filesystem but if I 
> > use getfattr command on any file I don't obtain nothing that resembles 
> > SID. Am I wrong?
> >
> > Where does SELinux store SID?
> >
> You have to tell it what attribute name you want
> 
> $ getfattr -n security.selinux .
> # file: .
> security.selinux="system_u:object_r:root_t:s0\000"

Note btw that security context strings are stored on the filesystem, not
the (non-persistent non-global) SIDs (which are only stored in the
in-core inodes).  Older versions of SELinux (pre-2.6) stored a separate
persistent SID in the on-disk inodes (with a per-fs mapping from
persistent SIDs to contexts), but that was eliminated when we migrated
to using xattrs.

getfattr only displays attributes in the user namespace by default.  To
display all attributes on a file, you'd do something like:
$ getfattr -m "" -d /path/to/file

Or to see attribute in just the security namespace:
$ getfattr -m "^security" -d /path/to/file

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
[prev in list] [next in list] [prev in thread] [next in thread]