Difference between revisions of "LibselinuxAPISummary"
Line 1: | Line 1: | ||
= API Summary for libselinux = | = API Summary for libselinux = | ||
− | The API summary has been taken from the ''libselinux 2.0. | + | The API summary has been taken from the '''libselinux 2.0.96''' release and sorted in alphabetical order. There are 166 functions available in this release, although 4 are depreciated. The appropriate man (3) pages should consulted for detailed usage. |
− | + | ||
− | + | ||
{| border="1" | {| border="1" | ||
Line 10: | Line 8: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| avc_add_callback | | avc_add_callback | ||
| Register a callback for security events. | | Register a callback for security events. | ||
Line 20: | Line 15: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| avc_audit | | avc_audit | ||
| Audit the granting or denial of permissions in accordance with the policy. This function is typically called by avc_has_perm() after a permission check, but can also be called directly by callers who use avc_has_perm_noaudit() in order to separate the permission check from the auditing. For example, this separation is useful when the permission check must be performed under a lock, to allow the lock to be released before calling the auditing code. | | Audit the granting or denial of permissions in accordance with the policy. This function is typically called by avc_has_perm() after a permission check, but can also be called directly by callers who use avc_has_perm_noaudit() in order to separate the permission check from the auditing. For example, this separation is useful when the permission check must be performed under a lock, to allow the lock to be released before calling the auditing code. | ||
Line 28: | Line 20: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| avc_av_stats | | avc_av_stats | ||
| Log AV table statistics. | | Log AV table statistics. | ||
Line 38: | Line 27: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| avc_cache_stats | | avc_cache_stats | ||
| Get cache access statistics. | | Get cache access statistics. | ||
Line 48: | Line 34: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| avc_cleanup | | avc_cleanup | ||
| Remove unused SIDs and AVC entries. | | Remove unused SIDs and AVC entries. | ||
Line 58: | Line 41: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| avc_compute_create | | avc_compute_create | ||
| Compute SID for labeling a new object. | | Compute SID for labeling a new object. | ||
− | Call the security server to obtain a context for labeling a new object. Look up the context in the SID table, making a new entry if not found | + | Call the security server to obtain a context for labeling a new object. Look up the context in the SID table, making a new entry if not found. Store a pointer to the SID structure into the memory referenced by @newsid, returning %0 on success or -%1 on error with @errno set. |
| avc.h | | avc.h | ||
|- | |- | ||
− | |||
− | |||
− | |||
| avc_compute_member | | avc_compute_member | ||
| Compute SID for polyinstantation. | | Compute SID for polyinstantation. | ||
− | Call the security server to obtain a context for labeling an object instance. Look up the context in the SID table, making a new entry if not found | + | Call the security server to obtain a context for labeling an object instance. Look up the context in the SID table, making a new entry if not found. Store a pointer to the SID structure into the memory referenced by @newsid, returning %0 on success or -%1 on error with @errno set. |
| avc.h | | avc.h | ||
|- | |- | ||
− | |||
− | |||
− | |||
| avc_context_to_sid | | avc_context_to_sid | ||
avc_context_to_sid_raw | avc_context_to_sid_raw | ||
− | | Get SID for context. Look up security context @ctx in SID table, making a new entry if @ctx is not found | + | | Get SID for context. Look up security context @ctx in SID table, making a new entry if @ctx is not found. Store a pointer to the SID structure into the memory referenced by @sid,returning %0 on success or -%1 on error with @errno set. |
| avc.h | | avc.h | ||
|- | |- | ||
− | |||
− | |||
− | |||
| avc_destroy | | avc_destroy | ||
| Free all AVC structures. | | Free all AVC structures. | ||
Line 98: | Line 69: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| avc_entry_ref_init | | avc_entry_ref_init | ||
| Initialize an AVC entry reference. | | Initialize an AVC entry reference. | ||
Line 108: | Line 76: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| avc_get_initial_sid | | avc_get_initial_sid | ||
| Get SID for an initial kernel security identifier. | | Get SID for an initial kernel security identifier. | ||
Line 118: | Line 83: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| avc_has_perm | | avc_has_perm | ||
| Check permissions and perform any appropriate auditing. | | Check permissions and perform any appropriate auditing. | ||
Line 128: | Line 90: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| avc_has_perm_noaudit | | avc_has_perm_noaudit | ||
| Check permissions but perform no auditing. Check the AVC to determine whether the @requested permissions are granted for the SID pair (@ssid, @tsid), interpreting the permissions based on @tclass, and call the security server on a cache miss to obtain a new decision and add it to the cache. Update @aeref to refer to an AVC entry with the resulting decisions, and return a copy of the decisions in @avd. Return %0 if all @requested permissions are granted, -%1 with @errno set to %EACCES if any permissions are denied, or to another value upon other errors. This function is typically called by avc_has_perm(), but may also be called directly to separate permission checking from auditing, e.g. in cases where a lock must be held for the check but should be released for the auditing. | | Check permissions but perform no auditing. Check the AVC to determine whether the @requested permissions are granted for the SID pair (@ssid, @tsid), interpreting the permissions based on @tclass, and call the security server on a cache miss to obtain a new decision and add it to the cache. Update @aeref to refer to an AVC entry with the resulting decisions, and return a copy of the decisions in @avd. Return %0 if all @requested permissions are granted, -%1 with @errno set to %EACCES if any permissions are denied, or to another value upon other errors. This function is typically called by avc_has_perm(), but may also be called directly to separate permission checking from auditing, e.g. in cases where a lock must be held for the check but should be released for the auditing. | ||
Line 136: | Line 95: | ||
|- | |- | ||
+ | | avc_init (depreciated) | ||
+ | | Legacy userspace SELinux AVC setup - use <tt>avc_open</tt>. | ||
− | + | Initialize the access vector cache. Return %0 on success or -%1 with @errno set on failure. If @msgprefix is NULL, uses "uavc". If any callback structure references are NULL, use default methods for those callbacks (see the definition of the callback structures). | |
− | + | ||
− | + | ||
− | + | ||
| avc.h | | avc.h | ||
|- | |- | ||
− | |||
− | |||
− | |||
| avc_netlink_acquire_fd | | avc_netlink_acquire_fd | ||
| Create a netlink socket and connect to the kernel. | | Create a netlink socket and connect to the kernel. | ||
Line 152: | Line 107: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| avc_netlink_check_nb | | avc_netlink_check_nb | ||
| Wait for netlink messages from the kernel. | | Wait for netlink messages from the kernel. | ||
Line 160: | Line 112: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| avc_netlink_close | | avc_netlink_close | ||
| Close the netlink socket. | | Close the netlink socket. | ||
Line 168: | Line 117: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| avc_netlink_loop | | avc_netlink_loop | ||
| Acquire netlink socket fd. Allows the application to manage messages from the netlink socket in its own main loop. | | Acquire netlink socket fd. Allows the application to manage messages from the netlink socket in its own main loop. | ||
Line 176: | Line 122: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| avc_netlink_open | | avc_netlink_open | ||
| Release netlink socket fd. Returns ownership of the netlink socket to the library. | | Release netlink socket fd. Returns ownership of the netlink socket to the library. | ||
Line 184: | Line 127: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| avc_netlink_release_fd | | avc_netlink_release_fd | ||
| Check netlink socket for new messages. Called by the application when using <tt>avc_netlink_acquire_fd()</tt> to process kernel netlink events. | | Check netlink socket for new messages. Called by the application when using <tt>avc_netlink_acquire_fd()</tt> to process kernel netlink events. | ||
Line 192: | Line 132: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| avc_open | | avc_open | ||
− | | Initialize the AVC. This function is identical to avc_init() except the message prefix is set to | + | | Initialize the AVC. This function is identical to avc_init() except the message prefix is set to “avc” and any callbacks desired should be specified via selinux_set_callback(). It is possible to set enforcing mode using <tt>AVC_OPT_SETENFORCE</tt>, this will override the kernel setting. |
| avc.h | | avc.h | ||
|- | |- | ||
− | |||
− | |||
− | |||
| avc_reset | | avc_reset | ||
| Flush the cache and reset statistics. Remove all entries from the cache and reset all access statistics (as returned by avc_cache_stats()) to zero. The SID mapping is not affected. Return %0 on success, -%1 with @errno set on error. | | Flush the cache and reset statistics. Remove all entries from the cache and reset all access statistics (as returned by avc_cache_stats()) to zero. The SID mapping is not affected. Return %0 on success, -%1 with @errno set on error. | ||
Line 208: | Line 142: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| avc_sid_stats | | avc_sid_stats | ||
| Log SID table statistics. Log a message with information about the size and distribution of the SID table. The audit callback is used to print the message. | | Log SID table statistics. Log a message with information about the size and distribution of the SID table. The audit callback is used to print the message. | ||
Line 216: | Line 147: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| avc_sid_to_context | | avc_sid_to_context | ||
Line 226: | Line 154: | ||
|- | |- | ||
− | + | | checkPasswdAccess (depreciated) | |
− | + | ||
− | + | ||
− | | checkPasswdAccess | + | |
| Check a permission in the passwd class. Return 0 if granted or -1 otherwise. | | Check a permission in the passwd class. Return 0 if granted or -1 otherwise. | ||
| selinux.h | | selinux.h | ||
|- | |- | ||
− | |||
− | |||
− | |||
| context_free | | context_free | ||
| Free the storage used by a context. | | Free the storage used by a context. | ||
Line 242: | Line 164: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| context_new | | context_new | ||
| Return a new context initialized to a context string. | | Return a new context initialized to a context string. | ||
Line 250: | Line 169: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| context_range_get | | context_range_get | ||
| Get a pointer to the range. | | Get a pointer to the range. | ||
Line 258: | Line 174: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| context_range_set | | context_range_set | ||
| Set the range component. Returns nonzero if unsuccessful. | | Set the range component. Returns nonzero if unsuccessful. | ||
Line 266: | Line 179: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| context_role_get | | context_role_get | ||
| Get a pointer to the role. | | Get a pointer to the role. | ||
Line 274: | Line 184: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| context_role_set | | context_role_set | ||
| Set the role component. Returns nonzero if unsuccessful. | | Set the role component. Returns nonzero if unsuccessful. | ||
Line 282: | Line 189: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| context_str | | context_str | ||
| Return a pointer to the string value of context_t. Valid until the next call to context_str or context_free for the same context_t*. | | Return a pointer to the string value of context_t. Valid until the next call to context_str or context_free for the same context_t*. | ||
Line 290: | Line 194: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| context_type_get | | context_type_get | ||
| Get a pointer to the type. | | Get a pointer to the type. | ||
Line 298: | Line 199: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| context_type_set | | context_type_set | ||
| Set the type component. Returns nonzero if unsuccessful. | | Set the type component. Returns nonzero if unsuccessful. | ||
Line 306: | Line 204: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| context_user_get | | context_user_get | ||
| Get a pointer to the user. | | Get a pointer to the user. | ||
Line 314: | Line 209: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| context_user_set | | context_user_set | ||
| Set the user component. Returns nonzero if unsuccessful. | | Set the user component. Returns nonzero if unsuccessful. | ||
Line 322: | Line 214: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| fgetfilecon | | fgetfilecon | ||
Line 332: | Line 221: | ||
|- | |- | ||
+ | | fini_selinuxmnt | ||
+ | | Deinitialises the global variable selinux_mnt to the selinuxfs mountpoint. | ||
+ | | | ||
− | + | |- | |
− | + | ||
| freecon | | freecon | ||
| Free the memory allocated for a context by any of the get* calls. | | Free the memory allocated for a context by any of the get* calls. | ||
Line 340: | Line 231: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| freeconary | | freeconary | ||
| Free the memory allocated for a context array by security_compute_user. | | Free the memory allocated for a context array by security_compute_user. | ||
Line 348: | Line 236: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| fsetfilecon | | fsetfilecon | ||
Line 358: | Line 243: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| get_default_context | | get_default_context | ||
| Get the default security context for a user session for 'user' spawned by 'fromcon' and set <nowiki>*newcon</nowiki> to refer to it. The context will be one of those authorized by the policy, but the selection of a default is subject to user customizable preferences. If 'fromcon' is NULL, defaults to current context. Returns 0 on success or -1 otherwise. Caller must free via freecon. | | Get the default security context for a user session for 'user' spawned by 'fromcon' and set <nowiki>*newcon</nowiki> to refer to it. The context will be one of those authorized by the policy, but the selection of a default is subject to user customizable preferences. If 'fromcon' is NULL, defaults to current context. Returns 0 on success or -1 otherwise. Caller must free via freecon. | ||
Line 366: | Line 248: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| get_default_context_with_level | | get_default_context_with_level | ||
| Same as get_default_context, but use the provided MLS level rather than the default level for the user. | | Same as get_default_context, but use the provided MLS level rather than the default level for the user. | ||
Line 374: | Line 253: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| get_default_context_with_role | | get_default_context_with_role | ||
| Same as get_default_context, but only return a context that has the specified role. | | Same as get_default_context, but only return a context that has the specified role. | ||
Line 382: | Line 258: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| get_default_context_with_rolelevel | | get_default_context_with_rolelevel | ||
| Same as get_default_context, but only return a context that has the specified role and level. | | Same as get_default_context, but only return a context that has the specified role and level. | ||
Line 390: | Line 263: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| get_default_type | | get_default_type | ||
| Get the default type (domain) for 'role' and set 'type' to refer to it. Caller must free via free(). Return 0 on success or -1 otherwise. | | Get the default type (domain) for 'role' and set 'type' to refer to it. Caller must free via free(). Return 0 on success or -1 otherwise. | ||
Line 398: | Line 268: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| get_ordered_context_list | | get_ordered_context_list | ||
| Get an ordered list of authorized security contexts for a user session for 'user' spawned by 'fromcon' and set <nowiki>*conary</nowiki> to refer to the NULL-terminated array of contexts. Every entry in the list will be authorized by the policy, but the ordering is subject to user customizable preferences. Returns number of entries in <nowiki>*conary</nowiki>. If 'fromcon' is NULL, defaults to current context. Caller must free via freeconary. | | Get an ordered list of authorized security contexts for a user session for 'user' spawned by 'fromcon' and set <nowiki>*conary</nowiki> to refer to the NULL-terminated array of contexts. Every entry in the list will be authorized by the policy, but the ordering is subject to user customizable preferences. Returns number of entries in <nowiki>*conary</nowiki>. If 'fromcon' is NULL, defaults to current context. Caller must free via freeconary. | ||
Line 406: | Line 273: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| get_ordered_context_list_with_level | | get_ordered_context_list_with_level | ||
| Same as get_ordered_context_list, but use the provided MLS level rather than the default level for the user. | | Same as get_ordered_context_list, but use the provided MLS level rather than the default level for the user. | ||
Line 414: | Line 278: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| getcon | | getcon | ||
Line 424: | Line 285: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| getexeccon | | getexeccon | ||
Line 434: | Line 292: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| getfilecon | | getfilecon | ||
Line 444: | Line 299: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| getfscreatecon | | getfscreatecon | ||
Line 454: | Line 306: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| getkeycreatecon | | getkeycreatecon | ||
Line 464: | Line 313: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| getpeercon | | getpeercon | ||
Line 474: | Line 320: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| getpidcon | | getpidcon | ||
Line 484: | Line 327: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| getprevcon | | getprevcon | ||
Line 494: | Line 334: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| getseuser | | getseuser | ||
| Get the SELinux username and level to use for a given Linux username and service. These values may then be passed into the get_ordered_context_list* and get_default_context* functions to obtain a context for the user. Returns 0 on success or -1 otherwise. Caller must free the returned strings via free(). | | Get the SELinux username and level to use for a given Linux username and service. These values may then be passed into the get_ordered_context_list* and get_default_context* functions to obtain a context for the user. Returns 0 on success or -1 otherwise. Caller must free the returned strings via free(). | ||
Line 502: | Line 339: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| getseuserbyname | | getseuserbyname | ||
| Get the SELinux username and level to use for a given Linux username. These values may then be passed into the get_ordered_context_list* and get_default_context* functions to obtain a context for the user. Returns 0 on success or -1 otherwise. Caller must free the returned strings via free(). | | Get the SELinux username and level to use for a given Linux username. These values may then be passed into the get_ordered_context_list* and get_default_context* functions to obtain a context for the user. Returns 0 on success or -1 otherwise. Caller must free the returned strings via free(). | ||
Line 510: | Line 344: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| getsockcreatecon | | getsockcreatecon | ||
Line 520: | Line 351: | ||
|- | |- | ||
+ | | init_selinuxmnt | ||
+ | | Initialises the global variable selinux_mnt to the selinuxfs mountpoint. | ||
+ | | | ||
− | + | |- | |
− | + | ||
| is_context_customizable | | is_context_customizable | ||
| Returns whether a file context is customizable, and should not be relabeled. | | Returns whether a file context is customizable, and should not be relabeled. | ||
Line 528: | Line 361: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| is_selinux_enabled | | is_selinux_enabled | ||
| Return 1 if running on a SELinux kernel, or 0 if not or -1 for error. | | Return 1 if running on a SELinux kernel, or 0 if not or -1 for error. | ||
Line 536: | Line 366: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| is_selinux_mls_enabled | | is_selinux_mls_enabled | ||
| Return 1 if we are running on a SELinux MLS kernel, or 0 otherwise. | | Return 1 if we are running on a SELinux MLS kernel, or 0 otherwise. | ||
Line 544: | Line 371: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| lgetfilecon | | lgetfilecon | ||
Line 554: | Line 378: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| lsetfilecon | | lsetfilecon | ||
Line 564: | Line 385: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| manual_user_enter_context | | manual_user_enter_context | ||
| Allow the user to manually enter a context as a fallback if a list of authorized contexts could not be obtained. Caller must free via freecon. Returns 0 on success or -1 otherwise. | | Allow the user to manually enter a context as a fallback if a list of authorized contexts could not be obtained. Caller must free via freecon. Returns 0 on success or -1 otherwise. | ||
Line 572: | Line 390: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| matchmediacon | | matchmediacon | ||
| Match the specified media and against the media contexts configuration and set <nowiki>*con</nowiki> to refer to the resulting context. Caller must free con via freecon. | | Match the specified media and against the media contexts configuration and set <nowiki>*con</nowiki> to refer to the resulting context. Caller must free con via freecon. | ||
Line 580: | Line 395: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| matchpathcon | | matchpathcon | ||
| Match the specified pathname and mode against the file context sconfiguration and set <nowiki>*con</nowiki> to refer to the resulting context.'mode' can be 0 to disable mode matching. Caller must free via freecon. If matchpathcon_init has not already been called, then this function will call it upon its first invocation with a NULL path. | | Match the specified pathname and mode against the file context sconfiguration and set <nowiki>*con</nowiki> to refer to the resulting context.'mode' can be 0 to disable mode matching. Caller must free via freecon. If matchpathcon_init has not already been called, then this function will call it upon its first invocation with a NULL path. | ||
Line 588: | Line 400: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| matchpathcon_checkmatches | | matchpathcon_checkmatches | ||
| Check to see whether any specifications had no matches and report them. The 'str' is used as a prefix for any warning messages. | | Check to see whether any specifications had no matches and report them. The 'str' is used as a prefix for any warning messages. | ||
Line 596: | Line 405: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| matchpathcon_filespec_add | | matchpathcon_filespec_add | ||
| Maintain an association between an inode and a specification index, and check whether a conflicting specification is already associated with the same inode (e.g. due to multiple hard links). If so, then use the latter of the two specifications based on their order in the file contexts configuration. Return the used specification index. | | Maintain an association between an inode and a specification index, and check whether a conflicting specification is already associated with the same inode (e.g. due to multiple hard links). If so, then use the latter of the two specifications based on their order in the file contexts configuration. Return the used specification index. | ||
Line 604: | Line 410: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| matchpathcon_filespec_destroy | | matchpathcon_filespec_destroy | ||
| Destroy any inode associations that have been added, e.g. to restart for a new filesystem. | | Destroy any inode associations that have been added, e.g. to restart for a new filesystem. | ||
Line 612: | Line 415: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| matchpathcon_filespec_eval | | matchpathcon_filespec_eval | ||
| Display statistics on the hash table usage for the associations. | | Display statistics on the hash table usage for the associations. | ||
Line 620: | Line 420: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| matchpathcon_fini | | matchpathcon_fini | ||
| Free the memory allocated by matchpathcon_init. | | Free the memory allocated by matchpathcon_init. | ||
Line 628: | Line 425: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| matchpathcon_index | | matchpathcon_index | ||
− | | Same as | + | | Same as matchpathcon, but return a specification index for later use in a matchpathcon_filespec_add() call. |
| selinux.h | | selinux.h | ||
|- | |- | ||
− | |||
− | |||
− | |||
| matchpathcon_init | | matchpathcon_init | ||
| Load the file contexts configuration specified by 'path' into memory for use by subsequent matchpathcon calls. If 'path' is NULL, then load the active file contexts configuration, i.e. the path returned by selinux_file_context_path(). Unless the MATCHPATHCON_BASEONLY flag has been set, this function also checks for a 'path'.homedirs file and a 'path'.local file and loads additional specifications from them if present. | | Load the file contexts configuration specified by 'path' into memory for use by subsequent matchpathcon calls. If 'path' is NULL, then load the active file contexts configuration, i.e. the path returned by selinux_file_context_path(). Unless the MATCHPATHCON_BASEONLY flag has been set, this function also checks for a 'path'.homedirs file and a 'path'.local file and loads additional specifications from them if present. | ||
Line 644: | Line 435: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| matchpathcon_init_prefix | | matchpathcon_init_prefix | ||
| Same as matchpathcon_init, but only load entries with regexes that have stems that are prefixes of 'prefix'. | | Same as matchpathcon_init, but only load entries with regexes that have stems that are prefixes of 'prefix'. | ||
Line 652: | Line 440: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| print_access_vector | | print_access_vector | ||
| Display an access vector in a string representation. | | Display an access vector in a string representation. | ||
Line 660: | Line 445: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| query_user_context | | query_user_context | ||
| Given a list of authorized security contexts for the user, query the user to select one and set <nowiki>*newcon</nowiki> to refer to it. Caller must free via freecon. Returns 0 on sucess or -1 otherwise. | | Given a list of authorized security contexts for the user, query the user to select one and set <nowiki>*newcon</nowiki> to refer to it. Caller must free via freecon. Returns 0 on sucess or -1 otherwise. | ||
Line 668: | Line 450: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| rpm_execcon | | rpm_execcon | ||
| Execute a helper for rpm in an appropriate security context. | | Execute a helper for rpm in an appropriate security context. | ||
Line 676: | Line 455: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| security_av_perm_to_string | | security_av_perm_to_string | ||
| Convert access vector permissions to string names. | | Convert access vector permissions to string names. | ||
Line 684: | Line 460: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| security_av_string | | security_av_string | ||
| Returns an access vector in a string representation. User must free the returned string via free(). | | Returns an access vector in a string representation. User must free the returned string via free(). | ||
Line 692: | Line 465: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| security_canonicalize_context | | security_canonicalize_context | ||
Line 702: | Line 472: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| security_check_context | | security_check_context | ||
Line 712: | Line 479: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| security_class_to_string | | security_class_to_string | ||
| Convert security class values to string names. | | Convert security class values to string names. | ||
Line 720: | Line 484: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| security_commit_booleans | | security_commit_booleans | ||
| Commit the pending values for the booleans. | | Commit the pending values for the booleans. | ||
Line 728: | Line 489: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| security_compute_av | | security_compute_av | ||
Line 738: | Line 496: | ||
|- | |- | ||
+ | | security_compute_av_flags | ||
+ | security_compute_av_flags_raw | ||
+ | | | ||
+ | | selinux.h | ||
− | + | |- | |
| security_compute_create | | security_compute_create | ||
Line 748: | Line 510: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| security_compute_member | | security_compute_member | ||
Line 758: | Line 517: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| security_compute_relabel | | security_compute_relabel | ||
Line 768: | Line 524: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| security_compute_user | | security_compute_user | ||
Line 778: | Line 531: | ||
|- | |- | ||
+ | | security_deny_unknown | ||
+ | | Get the behavior for undefined classes / permissions. | ||
+ | | selinux.h | ||
− | + | |- | |
− | + | ||
| security_disable | | security_disable | ||
| Disable SELinux at runtime (must be done prior to initial policy load). | | Disable SELinux at runtime (must be done prior to initial policy load). | ||
Line 786: | Line 541: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| security_get_boolean_active | | security_get_boolean_active | ||
| Get the active value for the boolean. | | Get the active value for the boolean. | ||
Line 794: | Line 546: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| security_get_boolean_names | | security_get_boolean_names | ||
| Get the boolean names | | Get the boolean names | ||
Line 802: | Line 551: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| security_get_boolean_pending | | security_get_boolean_pending | ||
| Get the pending value for the boolean. | | Get the pending value for the boolean. | ||
Line 810: | Line 556: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| security_get_initial_context | | security_get_initial_context | ||
Line 820: | Line 563: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| security_getenforce | | security_getenforce | ||
| Get the enforce flag value. | | Get the enforce flag value. | ||
Line 828: | Line 568: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| security_load_booleans | | security_load_booleans | ||
| Load policy boolean settings. Path may be NULL, in which case the booleans are loaded from the active policy boolean configuration file. | | Load policy boolean settings. Path may be NULL, in which case the booleans are loaded from the active policy boolean configuration file. | ||
Line 836: | Line 573: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| security_load_policy | | security_load_policy | ||
| Load a policy configuration. | | Load a policy configuration. | ||
Line 844: | Line 578: | ||
|- | |- | ||
+ | | '''selinux_mkload_policy''' | ||
+ | | Make a policy image and load it. This is a higher level interface for loading policy than <tt>security_load_policy</tt>. | ||
+ | | selinux.h | ||
− | + | |- | |
− | + | ||
| security_policyvers | | security_policyvers | ||
| Get the policy version number. | | Get the policy version number. | ||
Line 852: | Line 588: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| security_set_boolean | | security_set_boolean | ||
| Set the pending value for the boolean. | | Set the pending value for the boolean. | ||
Line 860: | Line 593: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| security_set_boolean_list | | security_set_boolean_list | ||
| Save a list of booleans in a single transaction. | | Save a list of booleans in a single transaction. | ||
Line 868: | Line 598: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| security_setenforce | | security_setenforce | ||
| Set the enforce flag value. | | Set the enforce flag value. | ||
Line 876: | Line 603: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| selabel_close | | selabel_close | ||
| Destroy the specified handle, closing files, freeing allocated memory, etc. The handle may not be further used after it has been closed. | | Destroy the specified handle, closing files, freeing allocated memory, etc. The handle may not be further used after it has been closed. | ||
Line 884: | Line 608: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| selabel_lookup | | selabel_lookup | ||
Line 894: | Line 615: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| selabel_open | | selabel_open | ||
| Create a labeling handle. | | Create a labeling handle. | ||
Line 907: | Line 625: | ||
SELABEL_CTX_X - x_contexts. | SELABEL_CTX_X - x_contexts. | ||
+ | |||
+ | SELABEL_CTX_DB - pgsql_contexts. | ||
Options may be provided via the opts parameter; available options are: | Options may be provided via the opts parameter; available options are: | ||
Line 924: | Line 644: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| selabel_stats | | selabel_stats | ||
| Log a message with information about the number of queries performed, number of unused matching entries, or other operational statistics. Message is backend-specific, some backends may not output a message. | | Log a message with information about the number of queries performed, number of unused matching entries, or other operational statistics. Message is backend-specific, some backends may not output a message. | ||
Line 932: | Line 649: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| selinux_binary_policy_path | | selinux_binary_policy_path | ||
| Return path to the binary policy file under the policy root directory. | | Return path to the binary policy file under the policy root directory. | ||
Line 940: | Line 654: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| selinux_booleans_path | | selinux_booleans_path | ||
| Return path to the booleans file under the policy root directory. | | Return path to the booleans file under the policy root directory. | ||
Line 948: | Line 659: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| selinux_check_passwd_access | | selinux_check_passwd_access | ||
| Check a permission in the passwd class. Return 0 if granted or -1 otherwise. | | Check a permission in the passwd class. Return 0 if granted or -1 otherwise. | ||
Line 956: | Line 664: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| selinux_check_securetty_context | | selinux_check_securetty_context | ||
| Check if the tty_context is defined as a securetty<nowiki>. Return 0 if secure, < 0 otherwise.</nowiki> | | Check if the tty_context is defined as a securetty<nowiki>. Return 0 if secure, < 0 otherwise.</nowiki> | ||
Line 964: | Line 669: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| selinux_colors_path | | selinux_colors_path | ||
| Return path to file under the policy root directory. | | Return path to file under the policy root directory. | ||
Line 972: | Line 674: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| selinux_contexts_path | | selinux_contexts_path | ||
| Return path to contexts directory under the policy root directory. | | Return path to contexts directory under the policy root directory. | ||
Line 980: | Line 679: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| selinux_customizable_types_path | | selinux_customizable_types_path | ||
| Return path to customizable_types file under the policy root directory. | | Return path to customizable_types file under the policy root directory. | ||
Line 988: | Line 684: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| selinux_default_context_path | | selinux_default_context_path | ||
| Return path to default_context file under the policy root directory. | | Return path to default_context file under the policy root directory. | ||
Line 996: | Line 689: | ||
|- | |- | ||
+ | | selinux_default_type_path | ||
+ | | Return path to default type file. | ||
+ | | get_default_type.h | ||
− | + | |- | |
− | + | ||
| selinux_failsafe_context_path | | selinux_failsafe_context_path | ||
| Return path to failsafe_context file under the policy root directory. | | Return path to failsafe_context file under the policy root directory. | ||
Line 1,004: | Line 699: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| selinux_file_context_cmp | | selinux_file_context_cmp | ||
| Compare two file contexts, return 0 if equivalent. | | Compare two file contexts, return 0 if equivalent. | ||
Line 1,012: | Line 704: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| selinux_file_context_homedir_path | | selinux_file_context_homedir_path | ||
| Return path to file under the policy root directory. | | Return path to file under the policy root directory. | ||
Line 1,020: | Line 709: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| selinux_file_context_local_path | | selinux_file_context_local_path | ||
| Return path to file under the policy root directory. | | Return path to file under the policy root directory. | ||
Line 1,028: | Line 714: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| selinux_file_context_path | | selinux_file_context_path | ||
| Return path to file under the policy root directory. | | Return path to file under the policy root directory. | ||
Line 1,036: | Line 719: | ||
|- | |- | ||
+ | | selinux_file_context_subs_path | ||
+ | | Return path to file under the policy root directory. | ||
+ | | selinux.h | ||
− | + | |- | |
− | + | ||
| selinux_file_context_verify | | selinux_file_context_verify | ||
| Verify the context of the file 'path' against policy. Return 0 if correct. | | Verify the context of the file 'path' against policy. Return 0 if correct. | ||
Line 1,044: | Line 729: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| selinux_getenforcemode | | selinux_getenforcemode | ||
| Reads the /etc/selinux/config file and determines whether the machine should be started in enforcing (1), permissive (0) or disabled (-1) mode. | | Reads the /etc/selinux/config file and determines whether the machine should be started in enforcing (1), permissive (0) or disabled (-1) mode. | ||
Line 1,052: | Line 734: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| selinux_getpolicytype | | selinux_getpolicytype | ||
| Reads the /<tt>etc/selinux/config</tt> file and determines what the default policy for the machine is. Calling application must free policytype. | | Reads the /<tt>etc/selinux/config</tt> file and determines what the default policy for the machine is. Calling application must free policytype. | ||
Line 1,060: | Line 739: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| selinux_homedir_context_path | | selinux_homedir_context_path | ||
| Return path to file under the policy root directory. | | Return path to file under the policy root directory. | ||
Line 1,068: | Line 744: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| selinux_init_load_policy | | selinux_init_load_policy | ||
| Perform the initial policy load. | | Perform the initial policy load. | ||
Line 1,080: | Line 753: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| selinux_lsetfilecon_default | | selinux_lsetfilecon_default | ||
| This function sets the file context on to the system defaults returns 0 on success. | | This function sets the file context on to the system defaults returns 0 on success. | ||
Line 1,088: | Line 758: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| selinux_media_context_path | | selinux_media_context_path | ||
| Return path to file under the policy root directory. | | Return path to file under the policy root directory. | ||
Line 1,096: | Line 763: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| selinux_mkload_policy | | selinux_mkload_policy | ||
| Make a policy image and load it. | | Make a policy image and load it. | ||
Line 1,108: | Line 772: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| selinux_netfilter_context_path | | selinux_netfilter_context_path | ||
| Returns path to the netfilter_context file under the policy root directory. | | Returns path to the netfilter_context file under the policy root directory. | ||
Line 1,116: | Line 777: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| selinux_path | | selinux_path | ||
| Returns path to the policy root directory. | | Returns path to the policy root directory. | ||
Line 1,124: | Line 782: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| selinux_policy_root | | selinux_policy_root | ||
| Reads the /etc/selinux/config file and returns the top level directory. | | Reads the /etc/selinux/config file and returns the top level directory. | ||
Line 1,132: | Line 787: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| selinux_raw_context_to_color | | selinux_raw_context_to_color | ||
| Perform context translation between security contexts and display colors. Returns a space-separated list of ten ten hex RGB triples prefixed by hash marks, e.g. "<nowiki>#ff0000</nowiki>". Caller must free the resulting string via free(). Returns -1 upon an error or 0 otherwise. | | Perform context translation between security contexts and display colors. Returns a space-separated list of ten ten hex RGB triples prefixed by hash marks, e.g. "<nowiki>#ff0000</nowiki>". Caller must free the resulting string via free(). Returns -1 upon an error or 0 otherwise. | ||
Line 1,140: | Line 792: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| selinux_raw_to_trans_context | | selinux_raw_to_trans_context | ||
| Perform context translation between the human-readable format ("translated") and the internal system format ("raw"). Caller must free the resulting context via freecon. Returns -1 upon an error or 0 otherwise. If passed NULL, sets the returned context to NULL and returns 0. | | Perform context translation between the human-readable format ("translated") and the internal system format ("raw"). Caller must free the resulting context via freecon. Returns -1 upon an error or 0 otherwise. If passed NULL, sets the returned context to NULL and returns 0. | ||
Line 1,148: | Line 797: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| selinux_removable_context_path | | selinux_removable_context_path | ||
| Return path to file under the policy root directory. | | Return path to file under the policy root directory. | ||
Line 1,156: | Line 802: | ||
|- | |- | ||
+ | | selinux_reset_config | ||
+ | | Force a reset of the loaded configuration. Not thread-safe. | ||
+ | | selinux.h | ||
− | + | |- | |
− | + | ||
| selinux_securetty_types_path | | selinux_securetty_types_path | ||
| Return path to the securetty_types file under the policy root directory. | | Return path to the securetty_types file under the policy root directory. | ||
Line 1,164: | Line 812: | ||
|- | |- | ||
+ | | selinux_sepgsql_context_path | ||
+ | | Return path to the <tt>sepgsql_context</tt> file under the policy root directory. | ||
+ | | selinux.h | ||
+ | |||
+ | |- | ||
+ | | selinux_set_callback | ||
+ | | Sets up a call back for the following events: | ||
+ | |||
+ | <tt>SELINUX_CB_LOG</tt> - to add additional info to audit log. | ||
+ | |||
+ | <tt>SELINUX_CB_AUDIT</tt> - to add additional audit info when using calls like <tt>avc_has_perm</tt> that can cause an audit evet to be generated. | ||
+ | <tt>SELINUX_CB_VALIDATE</tt> - to validate a context (used by <tt>setfiles</tt> for setting contexts on policies that are not active - see<tt> setfiles.c</tt>). | ||
+ | <tt>SELINUX_CB_SETENFORCE</tt> - to run user defined functions whenever the state changes. | ||
+ | <tt>SELINUX_CB_POLICYLOAD</tt> - to run user defined functions whenever the policy is reloaded. | ||
+ | | selinux.h | ||
+ | |||
+ | |- | ||
| selinux_set_mapping | | selinux_set_mapping | ||
| Userspace class mapping support. | | Userspace class mapping support. | ||
Line 1,172: | Line 837: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| selinux_trans_to_raw_context | | selinux_trans_to_raw_context | ||
| Perform context translation between the human-readable format ("translated") and the internal system format ("raw"). Caller must free the resulting context via freecon. Returns -1 upon an error or 0 otherwise. If passed NULL, sets the returned context to NULL and returns 0. | | Perform context translation between the human-readable format ("translated") and the internal system format ("raw"). Caller must free the resulting context via freecon. Returns -1 upon an error or 0 otherwise. If passed NULL, sets the returned context to NULL and returns 0. | ||
Line 1,180: | Line 842: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| selinux_translations_path | | selinux_translations_path | ||
| Return path to setrans.conf file under the policy root directory. | | Return path to setrans.conf file under the policy root directory. | ||
Line 1,188: | Line 847: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| selinux_user_contexts_path | | selinux_user_contexts_path | ||
| Return path to file under the policy root directory. | | Return path to file under the policy root directory. | ||
Line 1,196: | Line 852: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| selinux_users_path | | selinux_users_path | ||
| Return path to file under the policy root directory. | | Return path to file under the policy root directory. | ||
Line 1,204: | Line 857: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| selinux_usersconf_path | | selinux_usersconf_path | ||
| Return path to file under the policy root directory. | | Return path to file under the policy root directory. | ||
Line 1,212: | Line 862: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| selinux_virtual_domain_context_path | | selinux_virtual_domain_context_path | ||
| Return path to file under the policy root directory. | | Return path to file under the policy root directory. | ||
Line 1,220: | Line 867: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| selinux_virtual_image_context_path | | selinux_virtual_image_context_path | ||
| Return path to file under the policy root directory. | | Return path to file under the policy root directory. | ||
Line 1,228: | Line 872: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| selinux_x_context_path | | selinux_x_context_path | ||
| Return path to x_context file under the policy root directory. | | Return path to x_context file under the policy root directory. | ||
Line 1,236: | Line 877: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| set_matchpathcon_canoncon | | set_matchpathcon_canoncon | ||
− | | Same as | + | | Same as set_matchpathcon_invalidcon but also allows canonicalization of the context, by changing <nowiki>*context</nowiki> to refer to the canonical form. If not set, and invalidcon is also not set, then this defaults to calling security_canonicalize_context(). |
| selinux.h | | selinux.h | ||
|- | |- | ||
− | |||
− | |||
− | |||
| set_matchpathcon_flags | | set_matchpathcon_flags | ||
| Set flags controlling operation of matchpathcon_init or matchpathcon: | | Set flags controlling operation of matchpathcon_init or matchpathcon: | ||
Line 1,258: | Line 893: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| set_matchpathcon_invalidcon | | set_matchpathcon_invalidcon | ||
| Set the function used by matchpathcon_init when checking the validity of a context in the file_contexts configuration. If not set, then this defaults to a test based on security_check_context(). The function is also responsible for reporting any such error, and may include the 'path' and 'lineno' in such error messages. | | Set the function used by matchpathcon_init when checking the validity of a context in the file_contexts configuration. If not set, then this defaults to a test based on security_check_context(). The function is also responsible for reporting any such error, and may include the 'path' and 'lineno' in such error messages. | ||
Line 1,266: | Line 898: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| set_matchpathcon_printf | | set_matchpathcon_printf | ||
| Set the function used by matchpathcon_init when displaying errors about the file_contexts configuration. If not set, then this defaults to fprintf(stderr, fmt, ...). | | Set the function used by matchpathcon_init when displaying errors about the file_contexts configuration. If not set, then this defaults to fprintf(stderr, fmt, ...). | ||
Line 1,274: | Line 903: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| set_selinuxmnt | | set_selinuxmnt | ||
| Set the path to the selinuxfs mount point explicitly. Normally, this is determined automatically during libselinux initialization, but this is not always possible, e.g. for /sbin/init which performs the initial mount of selinuxfs. | | Set the path to the selinuxfs mount point explicitly. Normally, this is determined automatically during libselinux initialization, but this is not always possible, e.g. for /sbin/init which performs the initial mount of selinuxfs. | ||
Line 1,282: | Line 908: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| setcon | | setcon | ||
Line 1,294: | Line 917: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| setexeccon | | setexeccon | ||
Line 1,304: | Line 924: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| setfilecon | | setfilecon | ||
Line 1,314: | Line 931: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| setfscreatecon | | setfscreatecon | ||
Line 1,324: | Line 938: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| setkeycreatecon | | setkeycreatecon | ||
Line 1,334: | Line 945: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| setsockcreatecon | | setsockcreatecon | ||
Line 1,344: | Line 952: | ||
|- | |- | ||
− | + | | sidget (depreciated) | |
− | + | | From 2.0.86 this is a no-op. | |
− | + | ||
− | | sidget | + | |
− | | | + | |
− | + | ||
− | + | ||
| avc.h | | avc.h | ||
|- | |- | ||
− | + | | sidput (depreciated) | |
− | + | | From 2.0.86 this is a no-op. | |
− | + | ||
− | | sidput | + | |
− | | | + | |
− | + | ||
− | + | ||
| avc.h | | avc.h | ||
|- | |- | ||
− | |||
− | |||
− | |||
| string_to_av_perm | | string_to_av_perm | ||
| Convert string names to access vector permissions. | | Convert string names to access vector permissions. | ||
Line 1,372: | Line 967: | ||
|- | |- | ||
− | |||
− | |||
− | |||
| string_to_security_class | | string_to_security_class | ||
| Convert string names to security class values. | | Convert string names to security class values. |
Revision as of 13:48, 15 August 2010
API Summary for libselinux
The API summary has been taken from the libselinux 2.0.96 release and sorted in alphabetical order. There are 166 functions available in this release, although 4 are depreciated. The appropriate man (3) pages should consulted for detailed usage.
Function Name | Description | Header File |
---|---|---|
avc_add_callback | Register a callback for security events.
Register a callback function for events in the set @events related to the SID pair (@ssid, @tsid) and and the permissions @perms, interpreting @perms based on @tclass. Returns %0 on success or -%1 if insufficient memory exists to add the callback. |
avc.h |
avc_audit | Audit the granting or denial of permissions in accordance with the policy. This function is typically called by avc_has_perm() after a permission check, but can also be called directly by callers who use avc_has_perm_noaudit() in order to separate the permission check from the auditing. For example, this separation is useful when the permission check must be performed under a lock, to allow the lock to be released before calling the auditing code. | avc.h |
avc_av_stats | Log AV table statistics.
Log a message with information about the size and distribution of the access vector table. The audit callback is used to print the message. |
avc.h |
avc_cache_stats | Get cache access statistics.
Fill the supplied structure with information about AVC activity since the last call to avc_init() or avc_reset(). See the structure definition for details. |
avc.h |
avc_cleanup | Remove unused SIDs and AVC entries.
Search the SID table for SID structures with zero reference counts, and remove them along with all AVC entries that reference them. This can be used to return memory to the system. |
avc.h |
avc_compute_create | Compute SID for labeling a new object.
Call the security server to obtain a context for labeling a new object. Look up the context in the SID table, making a new entry if not found. Store a pointer to the SID structure into the memory referenced by @newsid, returning %0 on success or -%1 on error with @errno set. |
avc.h |
avc_compute_member | Compute SID for polyinstantation.
Call the security server to obtain a context for labeling an object instance. Look up the context in the SID table, making a new entry if not found. Store a pointer to the SID structure into the memory referenced by @newsid, returning %0 on success or -%1 on error with @errno set. |
avc.h |
avc_context_to_sid
avc_context_to_sid_raw |
Get SID for context. Look up security context @ctx in SID table, making a new entry if @ctx is not found. Store a pointer to the SID structure into the memory referenced by @sid,returning %0 on success or -%1 on error with @errno set. | avc.h |
avc_destroy | Free all AVC structures.
Destroy all AVC structures and free all allocated memory. User-supplied locking, memory, and audit callbacks will be retained, but security-event callbacks will not. All SID's will be invalidated. User must call avc_init() if further use of AVC is desired. |
avc.h |
avc_entry_ref_init | Initialize an AVC entry reference.
Use this macro to initialize an avc entry reference structure before first use. These structures are passed to avc_has_perm(), which stores cache entry references in them. They can increase performance on repeated queries. |
avc.h |
avc_get_initial_sid | Get SID for an initial kernel security identifier.
Get the context for an initial kernel security identifier specified by @name using security_get_initial_context() and then call avc_context_to_sid() to get the corresponding SID. |
avc.h |
avc_has_perm | Check permissions and perform any appropriate auditing.
Check the AVC to determine whether the @requested permissions are granted for the SID pair (@ssid, @tsid), interpreting the permissions based on @tclass, and call the security server on a cache miss to obtain a new decision and add it to the cache. Update @aeref to refer to an AVC entry with the resulting decisions. Audit the granting or denial of permissions in accordance with the policy. Return %0 if all @requested permissions are granted, -%1 with @errno set to %EACCES if any permissions are denied or to another value upon other errors. |
avc.h |
avc_has_perm_noaudit | Check permissions but perform no auditing. Check the AVC to determine whether the @requested permissions are granted for the SID pair (@ssid, @tsid), interpreting the permissions based on @tclass, and call the security server on a cache miss to obtain a new decision and add it to the cache. Update @aeref to refer to an AVC entry with the resulting decisions, and return a copy of the decisions in @avd. Return %0 if all @requested permissions are granted, -%1 with @errno set to %EACCES if any permissions are denied, or to another value upon other errors. This function is typically called by avc_has_perm(), but may also be called directly to separate permission checking from auditing, e.g. in cases where a lock must be held for the check but should be released for the auditing. | avc.h |
avc_init (depreciated) | Legacy userspace SELinux AVC setup - use avc_open.
Initialize the access vector cache. Return %0 on success or -%1 with @errno set on failure. If @msgprefix is NULL, uses "uavc". If any callback structure references are NULL, use default methods for those callbacks (see the definition of the callback structures). |
avc.h |
avc_netlink_acquire_fd | Create a netlink socket and connect to the kernel. | avc.h |
avc_netlink_check_nb | Wait for netlink messages from the kernel. | avc.h |
avc_netlink_close | Close the netlink socket. | avc.h |
avc_netlink_loop | Acquire netlink socket fd. Allows the application to manage messages from the netlink socket in its own main loop. | avc.h |
avc_netlink_open | Release netlink socket fd. Returns ownership of the netlink socket to the library. | avc.h |
avc_netlink_release_fd | Check netlink socket for new messages. Called by the application when using avc_netlink_acquire_fd() to process kernel netlink events. | avc.h |
avc_open | Initialize the AVC. This function is identical to avc_init() except the message prefix is set to “avc” and any callbacks desired should be specified via selinux_set_callback(). It is possible to set enforcing mode using AVC_OPT_SETENFORCE, this will override the kernel setting. | avc.h |
avc_reset | Flush the cache and reset statistics. Remove all entries from the cache and reset all access statistics (as returned by avc_cache_stats()) to zero. The SID mapping is not affected. Return %0 on success, -%1 with @errno set on error. | avc.h |
avc_sid_stats | Log SID table statistics. Log a message with information about the size and distribution of the SID table. The audit callback is used to print the message. | avc.h |
avc_sid_to_context
avc_sid_to_context_raw |
Get copy of context corresponding to SID. Return a copy of the security context corresponding to the input @sid in the memory referenced by @ctx. The caller is expected to free the context with freecon(). Return %0 on success, -%1 on failure, with @errno set to %ENOMEM if insufficient memory was available to make the copy, or %EINVAL if the input SID is invalid. | avc.h |
checkPasswdAccess (depreciated) | Check a permission in the passwd class. Return 0 if granted or -1 otherwise. | selinux.h |
context_free | Free the storage used by a context. | context.h |
context_new | Return a new context initialized to a context string. | context.h |
context_range_get | Get a pointer to the range. | context.h |
context_range_set | Set the range component. Returns nonzero if unsuccessful. | context.h |
context_role_get | Get a pointer to the role. | context.h |
context_role_set | Set the role component. Returns nonzero if unsuccessful. | context.h |
context_str | Return a pointer to the string value of context_t. Valid until the next call to context_str or context_free for the same context_t*. | context.h |
context_type_get | Get a pointer to the type. | context.h |
context_type_set | Set the type component. Returns nonzero if unsuccessful. | context.h |
context_user_get | Get a pointer to the user. | context.h |
context_user_set | Set the user component. Returns nonzero if unsuccessful. | context.h |
fgetfilecon
fgetfilecon_raw |
Wrapper for the xattr API - Get file context, and set *con to refer to it. Caller must free via freecon. | selinux.h |
fini_selinuxmnt | Deinitialises the global variable selinux_mnt to the selinuxfs mountpoint. | |
freecon | Free the memory allocated for a context by any of the get* calls. | selinux.h |
freeconary | Free the memory allocated for a context array by security_compute_user. | selinux.h |
fsetfilecon
fsetfilecon_raw |
Wrapper for the xattr API- Set file context. | selinux.h |
get_default_context | Get the default security context for a user session for 'user' spawned by 'fromcon' and set *newcon to refer to it. The context will be one of those authorized by the policy, but the selection of a default is subject to user customizable preferences. If 'fromcon' is NULL, defaults to current context. Returns 0 on success or -1 otherwise. Caller must free via freecon. | get_context_list.h |
get_default_context_with_level | Same as get_default_context, but use the provided MLS level rather than the default level for the user. | get_context_list.h |
get_default_context_with_role | Same as get_default_context, but only return a context that has the specified role. | get_context_list.h |
get_default_context_with_rolelevel | Same as get_default_context, but only return a context that has the specified role and level. | get_context_list.h |
get_default_type | Get the default type (domain) for 'role' and set 'type' to refer to it. Caller must free via free(). Return 0 on success or -1 otherwise. | get_default_type.h |
get_ordered_context_list | Get an ordered list of authorized security contexts for a user session for 'user' spawned by 'fromcon' and set *conary to refer to the NULL-terminated array of contexts. Every entry in the list will be authorized by the policy, but the ordering is subject to user customizable preferences. Returns number of entries in *conary. If 'fromcon' is NULL, defaults to current context. Caller must free via freeconary. | get_context_list.h |
get_ordered_context_list_with_level | Same as get_ordered_context_list, but use the provided MLS level rather than the default level for the user. | get_context_list.h |
getcon
getcon_raw |
Get current context, and set *con to refer to it. Caller must free via freecon. | selinux.h |
getexeccon
getexeccon_raw |
Get exec context, and set *con to refer to it. Sets *con to NULL if no exec context has been set, i.e. using default. If non-NULL, caller must free via freecon. | selinux.h |
getfilecon
getfilecon_raw |
Wrapper for the xattr API - Get file context, and set *con to refer to it. Caller must free via freecon. | selinux.h |
getfscreatecon
getfscreatecon_raw |
Get fscreate context, and set *con to refer to it. Sets *con to NULL if no fs create context has been set, i.e. using default.If non-NULL, caller must free via freecon. | selinux.h |
getkeycreatecon
getkeycreatecon_raw |
Get keycreate context, and set *con to refer to it. Sets *con to NULL if no key create context has been set, i.e. using default. If non-NULL, caller must free via freecon. | selinux.h |
getpeercon
getpeercon_raw |
Wrapper for the socket API - Get context of peer socket, and set *con to refer to it. Caller must free via freecon. | selinux.h |
getpidcon
getpidcon_raw |
Get context of process identified by pid, and set *con to refer to it. Caller must free via freecon. | selinux.h |
getprevcon
getprevcon_raw |
Get previous context (prior to last exec), and set *con to refer to it. Caller must free via freecon. | selinux.h |
getseuser | Get the SELinux username and level to use for a given Linux username and service. These values may then be passed into the get_ordered_context_list* and get_default_context* functions to obtain a context for the user. Returns 0 on success or -1 otherwise. Caller must free the returned strings via free(). | selinux.h |
getseuserbyname | Get the SELinux username and level to use for a given Linux username. These values may then be passed into the get_ordered_context_list* and get_default_context* functions to obtain a context for the user. Returns 0 on success or -1 otherwise. Caller must free the returned strings via free(). | selinux.h |
getsockcreatecon
getsockcreatecon_raw |
Get sockcreate context, and set *con to refer to it. Sets *con to NULL if no socket create context has been set, i.e. using default. If non-NULL, caller must free via freecon. | selinux.h |
init_selinuxmnt | Initialises the global variable selinux_mnt to the selinuxfs mountpoint. | |
is_context_customizable | Returns whether a file context is customizable, and should not be relabeled. | selinux.h |
is_selinux_enabled | Return 1 if running on a SELinux kernel, or 0 if not or -1 for error. | selinux.h |
is_selinux_mls_enabled | Return 1 if we are running on a SELinux MLS kernel, or 0 otherwise. | selinux.h |
lgetfilecon
lgetfilecon_raw |
Wrapper for the xattr API - Get file context, and set *con to refer to it. Caller must free via freecon. | selinux.h |
lsetfilecon
lsetfilecon_raw |
Wrapper for the xattr API- Set file context for symbolic link. | selinux.h |
manual_user_enter_context | Allow the user to manually enter a context as a fallback if a list of authorized contexts could not be obtained. Caller must free via freecon. Returns 0 on success or -1 otherwise. | get_context_list.h |
matchmediacon | Match the specified media and against the media contexts configuration and set *con to refer to the resulting context. Caller must free con via freecon. | selinux.h |
matchpathcon | Match the specified pathname and mode against the file context sconfiguration and set *con to refer to the resulting context.'mode' can be 0 to disable mode matching. Caller must free via freecon. If matchpathcon_init has not already been called, then this function will call it upon its first invocation with a NULL path. | selinux.h |
matchpathcon_checkmatches | Check to see whether any specifications had no matches and report them. The 'str' is used as a prefix for any warning messages. | selinux.h |
matchpathcon_filespec_add | Maintain an association between an inode and a specification index, and check whether a conflicting specification is already associated with the same inode (e.g. due to multiple hard links). If so, then use the latter of the two specifications based on their order in the file contexts configuration. Return the used specification index. | selinux.h |
matchpathcon_filespec_destroy | Destroy any inode associations that have been added, e.g. to restart for a new filesystem. | selinux.h |
matchpathcon_filespec_eval | Display statistics on the hash table usage for the associations. | selinux.h |
matchpathcon_fini | Free the memory allocated by matchpathcon_init. | selinux.h |
matchpathcon_index | Same as matchpathcon, but return a specification index for later use in a matchpathcon_filespec_add() call. | selinux.h |
matchpathcon_init | Load the file contexts configuration specified by 'path' into memory for use by subsequent matchpathcon calls. If 'path' is NULL, then load the active file contexts configuration, i.e. the path returned by selinux_file_context_path(). Unless the MATCHPATHCON_BASEONLY flag has been set, this function also checks for a 'path'.homedirs file and a 'path'.local file and loads additional specifications from them if present. | selinux.h |
matchpathcon_init_prefix | Same as matchpathcon_init, but only load entries with regexes that have stems that are prefixes of 'prefix'. | selinux.h |
print_access_vector | Display an access vector in a string representation. | selinux.h |
query_user_context | Given a list of authorized security contexts for the user, query the user to select one and set *newcon to refer to it. Caller must free via freecon. Returns 0 on sucess or -1 otherwise. | get_context_list.h |
rpm_execcon | Execute a helper for rpm in an appropriate security context. | selinux.h |
security_av_perm_to_string | Convert access vector permissions to string names. | selinux.h |
security_av_string | Returns an access vector in a string representation. User must free the returned string via free(). | selinux.h |
security_canonicalize_context
security_canonicalize_context_raw |
Canonicalize a security context. | selinux.h |
security_check_context
security_check_context_raw |
Check the validity of a security context. | selinux.h |
security_class_to_string | Convert security class values to string names. | selinux.h |
security_commit_booleans | Commit the pending values for the booleans. | selinux.h |
security_compute_av
security_compute_av_raw |
Compute an access decision. | selinux.h |
security_compute_av_flags
security_compute_av_flags_raw |
selinux.h | |
security_compute_create
security_compute_create_raw |
Compute a labeling decision and set *newcon to refer to it. Caller must free via freecon. | selinux.h |
security_compute_member
security_compute_member_raw |
Compute a polyinstantiation member decision and set *newcon to refer to it. Caller must free via freecon. | selinux.h |
security_compute_relabel
security_compute_relabel_raw |
Compute a relabeling decision and set *newcon to refer to it. Caller must free via freecon. | selinux.h |
security_compute_user
security_compute_user_raw |
Compute the set of reachable user contexts and set *con to refer to the NULL-terminated array of contexts. Caller must free via freeconary. | selinux.h |
security_deny_unknown | Get the behavior for undefined classes / permissions. | selinux.h |
security_disable | Disable SELinux at runtime (must be done prior to initial policy load). | selinux.h |
security_get_boolean_active | Get the active value for the boolean. | selinux.h |
security_get_boolean_names | Get the boolean names | selinux.h |
security_get_boolean_pending | Get the pending value for the boolean. | selinux.h |
security_get_initial_context
security_get_initial_context_raw |
Get the context of an initial kernel security identifier by name. Caller must free via freecon. | selinux.h |
security_getenforce | Get the enforce flag value. | selinux.h |
security_load_booleans | Load policy boolean settings. Path may be NULL, in which case the booleans are loaded from the active policy boolean configuration file. | selinux.h |
security_load_policy | Load a policy configuration. | selinux.h |
selinux_mkload_policy | Make a policy image and load it. This is a higher level interface for loading policy than security_load_policy. | selinux.h |
security_policyvers | Get the policy version number. | selinux.h |
security_set_boolean | Set the pending value for the boolean. | selinux.h |
security_set_boolean_list | Save a list of booleans in a single transaction. | selinux.h |
security_setenforce | Set the enforce flag value. | selinux.h |
selabel_close | Destroy the specified handle, closing files, freeing allocated memory, etc. The handle may not be further used after it has been closed. | label.h |
selabel_lookup
selabel_lookup_raw |
Perform a labeling lookup operation. Return %0 on success, -%1 with @errno set on failure. The key and type arguments are the inputs to the lookup operation; appropriate values are dictated by the backend in use. The result is returned in the memory pointed to by @con and must be freed by the user with freecon(). | label.h |
selabel_open | Create a labeling handle.
Open a labeling backend for use. The available backend identifiers are: SELABEL_CTX_FILE - file_contexts. SELABEL_CTX_MEDIA - media contexts. SELABEL_CTX_X - x_contexts. SELABEL_CTX_DB - pgsql_contexts. Options may be provided via the opts parameter; available options are: SELABEL_OPT_UNUSED - no-op option, useful for unused slots in an array of options. SELABEL_OPT_VALIDATE - validate contexts before returning them (boolean value). SELABEL_OPT_BASEONLY - don't use local customizations to backend data (boolean value). SELABEL_OPT_PATH - specify an alternate path to use when loading backend data. SELABEL_OPT_SUBSET - select a subset of the search space as an optimization (file backend). Not all options may be supported by every backend. Return value is the created handle on success or NULL with @errno set on failure. |
label.h |
selabel_stats | Log a message with information about the number of queries performed, number of unused matching entries, or other operational statistics. Message is backend-specific, some backends may not output a message. | label.h |
selinux_binary_policy_path | Return path to the binary policy file under the policy root directory. | selinux.h |
selinux_booleans_path | Return path to the booleans file under the policy root directory. | selinux.h |
selinux_check_passwd_access | Check a permission in the passwd class. Return 0 if granted or -1 otherwise. | selinux.h |
selinux_check_securetty_context | Check if the tty_context is defined as a securetty. Return 0 if secure, < 0 otherwise. | selinux.h |
selinux_colors_path | Return path to file under the policy root directory. | selinux.h |
selinux_contexts_path | Return path to contexts directory under the policy root directory. | selinux.h |
selinux_customizable_types_path | Return path to customizable_types file under the policy root directory. | selinux.h |
selinux_default_context_path | Return path to default_context file under the policy root directory. | selinux.h |
selinux_default_type_path | Return path to default type file. | get_default_type.h |
selinux_failsafe_context_path | Return path to failsafe_context file under the policy root directory. | selinux.h |
selinux_file_context_cmp | Compare two file contexts, return 0 if equivalent. | selinux.h |
selinux_file_context_homedir_path | Return path to file under the policy root directory. | selinux.h |
selinux_file_context_local_path | Return path to file under the policy root directory. | selinux.h |
selinux_file_context_path | Return path to file under the policy root directory. | selinux.h |
selinux_file_context_subs_path | Return path to file under the policy root directory. | selinux.h |
selinux_file_context_verify | Verify the context of the file 'path' against policy. Return 0 if correct. | selinux.h |
selinux_getenforcemode | Reads the /etc/selinux/config file and determines whether the machine should be started in enforcing (1), permissive (0) or disabled (-1) mode. | selinux.h |
selinux_getpolicytype | Reads the /etc/selinux/config file and determines what the default policy for the machine is. Calling application must free policytype. | selinux.h |
selinux_homedir_context_path | Return path to file under the policy root directory. | selinux.h |
selinux_init_load_policy | Perform the initial policy load.
This function determines the desired enforcing mode, sets the the *enforce argument accordingly for the caller to use, sets the SELinux kernel enforcing status to match it, and loads the policy. It also internally handles the initial selinuxfs mount required to perform these actions. The function returns 0 if everything including the policy load succeeds. In this case, init is expected to re-exec itself in order to transition to the proper security context. Otherwise, the function returns -1, and init must check *enforce to determine how to proceed. If enforcing (*enforce > 0), then init should halt the system. Otherwise, init may proceed normally without a re-exec. |
selinux.h |
selinux_lsetfilecon_default | This function sets the file context on to the system defaults returns 0 on success. | selinux.h |
selinux_media_context_path | Return path to file under the policy root directory. | selinux.h |
selinux_mkload_policy | Make a policy image and load it.
This function provides a higher level interface for loading policy than security_load_policy, internally determining the right policy version, locating and opening the policy file, mapping it into memory, manipulating it as needed for current boolean settings and/or local definitions, and then calling security_load_policy to load it. 'preservebools' is a boolean flag indicating whether current policy boolean values should be preserved into the new policy (if 1) or reset to the saved policy settings (if 0). The former case is the default for policy reloads, while the latter case is an option for policy reloads but is primarily for the initial policy load. |
selinux.h |
selinux_netfilter_context_path | Returns path to the netfilter_context file under the policy root directory. | selinux.h |
selinux_path | Returns path to the policy root directory. | selinux.h |
selinux_policy_root | Reads the /etc/selinux/config file and returns the top level directory. | selinux.h |
selinux_raw_context_to_color | Perform context translation between security contexts and display colors. Returns a space-separated list of ten ten hex RGB triples prefixed by hash marks, e.g. "#ff0000". Caller must free the resulting string via free(). Returns -1 upon an error or 0 otherwise. | selinux.h |
selinux_raw_to_trans_context | Perform context translation between the human-readable format ("translated") and the internal system format ("raw"). Caller must free the resulting context via freecon. Returns -1 upon an error or 0 otherwise. If passed NULL, sets the returned context to NULL and returns 0. | selinux.h |
selinux_removable_context_path | Return path to file under the policy root directory. | selinux.h |
selinux_reset_config | Force a reset of the loaded configuration. Not thread-safe. | selinux.h |
selinux_securetty_types_path | Return path to the securetty_types file under the policy root directory. | selinux.h |
selinux_sepgsql_context_path | Return path to the sepgsql_context file under the policy root directory. | selinux.h |
selinux_set_callback | Sets up a call back for the following events:
SELINUX_CB_LOG - to add additional info to audit log. SELINUX_CB_AUDIT - to add additional audit info when using calls like avc_has_perm that can cause an audit evet to be generated. SELINUX_CB_VALIDATE - to validate a context (used by setfiles for setting contexts on policies that are not active - see setfiles.c). SELINUX_CB_SETENFORCE - to run user defined functions whenever the state changes. SELINUX_CB_POLICYLOAD - to run user defined functions whenever the policy is reloaded. |
selinux.h |
selinux_set_mapping | Userspace class mapping support. | selinux.h |
selinux_trans_to_raw_context | Perform context translation between the human-readable format ("translated") and the internal system format ("raw"). Caller must free the resulting context via freecon. Returns -1 upon an error or 0 otherwise. If passed NULL, sets the returned context to NULL and returns 0. | selinux.h |
selinux_translations_path | Return path to setrans.conf file under the policy root directory. | selinux.h |
selinux_user_contexts_path | Return path to file under the policy root directory. | selinux.h |
selinux_users_path | Return path to file under the policy root directory. | selinux.h |
selinux_usersconf_path | Return path to file under the policy root directory. | selinux.h |
selinux_virtual_domain_context_path | Return path to file under the policy root directory. | selinux.h |
selinux_virtual_image_context_path | Return path to file under the policy root directory. | selinux.h |
selinux_x_context_path | Return path to x_context file under the policy root directory. | selinux.h |
set_matchpathcon_canoncon | Same as set_matchpathcon_invalidcon but also allows canonicalization of the context, by changing *context to refer to the canonical form. If not set, and invalidcon is also not set, then this defaults to calling security_canonicalize_context(). | selinux.h |
set_matchpathcon_flags | Set flags controlling operation of matchpathcon_init or matchpathcon:
MATCHPATHCON_BASEONLY - Only process the base file_contexts file. MATCHPATHCON_NOTRANS - Do not perform any context translation. MATCHPATHCON_VALIDATE - Validate/canonicalize contexts at init time. |
selinux.h |
set_matchpathcon_invalidcon | Set the function used by matchpathcon_init when checking the validity of a context in the file_contexts configuration. If not set, then this defaults to a test based on security_check_context(). The function is also responsible for reporting any such error, and may include the 'path' and 'lineno' in such error messages. | selinux.h |
set_matchpathcon_printf | Set the function used by matchpathcon_init when displaying errors about the file_contexts configuration. If not set, then this defaults to fprintf(stderr, fmt, ...). | selinux.h |
set_selinuxmnt | Set the path to the selinuxfs mount point explicitly. Normally, this is determined automatically during libselinux initialization, but this is not always possible, e.g. for /sbin/init which performs the initial mount of selinuxfs. | selinux.h |
setcon
setcon_raw |
Set the current security context to con.
Note that use of this function requires that the entire application be trusted to maintain any desired separation between the old and new security contexts, unlike exec-based transitions performed via setexeccon. When possible, decompose your application and use setexeccon()+execve() instead. Note that the application may lose access to its open descriptors as a result of a setcon() unless policy allows it to use descriptors opened by the old context. |
selinux.h |
setexeccon
setexeccon_raw |
Set exec security context for the next execve. Call with NULL if you want to reset to the default. | selinux.h |
setfilecon
setfilecon_raw |
Wrapper for the xattr API - Set file context. | selinux.h |
setfscreatecon
setfscreatecon_raw |
Set the fscreate security context for subsequent file creations. Call with NULL if you want to reset to the default. | selinux.h |
setkeycreatecon
setkeycreatecon_raw |
Set the keycreate security context for subsequent key creations. Call with NULL if you want to reset to the default. | selinux.h |
setsockcreatecon
setsockcreatecon_raw |
Set the sockcreate security context for subsequent socket creations. Call with NULL if you want to reset to the default. | selinux.h |
sidget (depreciated) | From 2.0.86 this is a no-op. | avc.h |
sidput (depreciated) | From 2.0.86 this is a no-op. | avc.h |
string_to_av_perm | Convert string names to access vector permissions. | selinux.h |
string_to_security_class | Convert string names to security class values. | selinux.h |