The security_compute_av SELinux library call may be used to obtain policy decisions from the kernel. However, this interface returns raw decision vectors rather than a simple yes/no answer, provides no auditing, and does not cache decisions, requiring a resource-intensive trap into kernel space on each use. These issues were resolved by porting the existing access vector cache (AVC) from the kernel into userspace, making it a part of the SELinux library. The userspace AVC uses security_compute_av internally but provides an improved interface to the user, including automatic logging and caching of decisions in the same manner as the kernel AVC.
The security_compute_av call allows synchronous retrieval of policy decisions, but some policy events, such as policy reloads, are asynchronous. The userspace AVC must be made aware of these events in order to discard any cached decisions that may have been rendered invalid. The existing selinuxfs interface being insufficient for asynchronous communication, a new, netlink-based interface was introduced. An SELinux message family was created along with message types for enforcement mode changes and policy reloads. The userspace AVC was then enhanced to listen for these messages, optionally on a dedicated background thread, updating its cached decisions as appropriate.
The userspace AVC is substantially complete, and has been a part of the SELinux library (libselinux) since version 1.8. However, userspace object manager support in libselinux is not yet complete; refer to Section 5.1 for a discussion of the proposed labeling interface.