NB Userspace Libraries

From SELinux Wiki
Jump to: navigation, search

libselinux Library

libselinux contains all the SELinux functions necessary to build userspace SELinux-aware applications and object managers using 'C', Python, Ruby and PHP languages.

The library hides the low level functionality of (but not limited to):

  • The SELinux filesystem that interfaces to the SELinux kernel security server.
  • The proc filesystem that maintains process state information and security contexts - see proc(5).
  • Extended attribute services that manage the extended attributes associated to files, sockets etc. - see attr(5).
  • The SELinux policy and its associated configuration files.

The general category of functions available in libselinux are shown in Table 1, with libselinux API Summary giving a complete list of functions.

Table 1: libselinux function types
Function Category
Description
Access Vector Cache Services Allow access decisions to be cached and audited.
Boolean Services Manage booleans.
Class and Permission Management Class / permission string conversion and mapping.
Compute Access Decisions Determine if access is allowed or denied.
Compute Labeling Compute labels to be applied to new instances of on object.
Default File Labeling Obtain default contexts for file operations.
File Creation Labeling Get and set file creation contexts.
File Labeling Get and set file and file descriptor extended attributes.
General Context Management Check contexts are valid, get and set context components.
Key Creation Labeling Get and set kernel key creation contexts.
Label Translation Management Translate to/from, raw/readable contexts.
Netlink Services Used to detect policy reloads and enforcement changes.
Process Labeling Get and set process contexts.
SELinux Management Services Load policy, set enforcement mode, obtain SELinux configuration information.
SELinux-aware Application Labeling Retrieve default contexts for applications such as database and X-Windows.
Socket Creation Labeling Get and set socket creation contexts.
User Session Management Retrieve default contexts for user sessions.


Other SELinux userspace libraries are:

libsepol - To build and manipulate the contents of SELinux kernel binary policy files.
libsemanage - To manage the policy infrastructure.

Details of the libraries, core SELinux utilities and commands with source code are available at:

https://github.com/SELinuxProject/selinux/wiki

The versions of kernel and SELinux tools and libraries influence the features available, therefore it is important to establish what level of functionality is required for the application. The Policy Versions section shows the policy versions and the additional features they support.

Writing kernel based object managers is a more specialised subject and is not covered in this section.

The libselinux functions make use of a number of files within the SELinux sub-system:

  1. The SELinux configuration file config that is described in the /etc/selinux/config file section.
  2. The SELinux filesystem interface between userspace and kernel that is generally mounted as /selinux or /sys/fs/selinux and described in the SELinux Filesystem section.
  3. The proc filesystem that maintains process state information and security contexts - see proc(5).
  4. The extended attribute services that manage the extended attributes associated to files, sockets etc. - see attr(5).
  5. The SELinux kernel binary policy that describes the enforcement policy.
  6. A number of libselinux functions have their own configuration files that in conjunction with the policy, allow additional levels of configuration. These are described in the Policy Configuration Files section and also in the following man pages:

booleans(5), customizable_types(5), default_contexts(5), default_type(5), failsafe_context(5), file_contexts(5), local.users(5), media(5), removable_context(5), securetty_type(5), selabel_db(5), selabel_file(5), selabel_media(5), selabel_x(5), sepgsql_contexts(5), service_seusers(5), seusers(5), user_contexts(5), virtual_domain_context(5), virtual_image_context(5), x_contexts(5)


Previous
Home
Next