Library Support

The Flask architecture requires a separation between policy decisions and their enforcement [10]. In the SELinux runtime environment, policy decisions are obtained from the ``security server'' which is part of the kernel [5]. One of the key decisions made in the planning stages for the X work was to continue using the kernel security server to obtain policy decisions. This allows the existing SELinux policy toolchain to be reused and keeps policy centralized in a single place [8]. However, it required the development of supporting infrastructure to allow efficient retrieval of policy decisions from userspace, as well as notification of significant policy events such as reloading or invalidation.

The security_compute_av SELinux library call may be used to obtain policy decisions from the kernel. However, this interface returns raw decision vectors rather than a simple yes/no answer, provides no auditing, and does not cache decisions, requiring a resource-intensive trap into kernel space on each use. These issues were resolved by porting the existing access vector cache (AVC) from the kernel into userspace, making it a part of the SELinux library. The userspace AVC uses security_compute_av internally but provides an improved interface to the user, including automatic logging and caching of decisions in the same manner as the kernel AVC.

The security_compute_av call allows synchronous retrieval of policy decisions, but some policy events, such as policy reloads, are asynchronous. The userspace AVC must be made aware of these events in order to discard any cached decisions that may have been rendered invalid. The existing selinuxfs interface being insufficient for asynchronous communication, a new, netlink-based interface was introduced. An SELinux message family was created along with message types for enforcement mode changes and policy reloads. The userspace AVC was then enhanced to listen for these messages, optionally on a dedicated background thread, updating its cached decisions as appropriate.

The userspace AVC is substantially complete, and has been a part of the SELinux library (libselinux) since version 1.8. However, userspace object manager support in libselinux is not yet complete; refer to Section 5.1 for a discussion of the proposed labeling interface.