Library Interfaces

As discussed previously, the property and extension object classes are labeled with a type that is derived from the name of the object. Types are defined in the SELinux policy, but currently, the mapping from names to types is kept in a configuration file that is part of the code base and installed as part of the X server. The X Flask module must load this file and parse its contents on server startup, and the parsing code constitutes a large part of the module at present.

The X server is not the only instance of a userspace object manager needing a string to type mapping. The D-Bus daemon uses such a mapping to label D-Bus messaging channels from their names, and the file contexts configuration consists essentially of such a mapping with regular expression matching semantics. In general it is likely that there will be a need for more such mappings as more userspace object managers are developed.

The author is developing a standard mechanism for use in querying such mappings, which would be a part of libselinux and store the mapping data in the policy configuration in a similar manner to the file_contexts data. This would work well with a modular policy that ships policy modules with each application, and would allow userspace object manager code to call a streamlined API instead of having to load and parse configuration data on a per-manager basis. This ``labeling API'' is a work in progress and early versions of it have been posted to the SELinux mailing list for review.