Difference between revisions of "LibselinuxAPISummary"

From SELinux Wiki
Jump to: navigation, search
Line 1: Line 1:
 
= API Summary for libselinux =
 
= API Summary for libselinux =
The API summary has been taken from the ''libselinux 2.0.87'' release and sorted in alphabetical order. The appropriate man (3) pages should consulted for detailed usage.
+
The API summary has been taken from the '''libselinux 2.0.96''' release and sorted in alphabetical order. There are 166 functions available in this release, although 4 are depreciated. The appropriate man (3) pages should consulted for detailed usage.
 
+
 
+
  
 
{| border="1"
 
{| border="1"
Line 10: Line 8:
  
 
|-
 
|-
 
 
 
 
| avc_add_callback
 
| avc_add_callback
 
| Register a callback for security events.
 
| Register a callback for security events.
Line 20: Line 15:
  
 
|-
 
|-
 
 
 
 
| avc_audit
 
| avc_audit
 
| Audit the granting or denial of permissions in accordance with the policy. This function is typically called by avc_has_perm() after a permission check, but can also be called directly by callers who use avc_has_perm_noaudit() in order to separate the permission check from the auditing. For example, this separation is useful when the permission check must be performed under a lock, to allow the lock to be released before calling the auditing code.
 
| Audit the granting or denial of permissions in accordance with the policy. This function is typically called by avc_has_perm() after a permission check, but can also be called directly by callers who use avc_has_perm_noaudit() in order to separate the permission check from the auditing. For example, this separation is useful when the permission check must be performed under a lock, to allow the lock to be released before calling the auditing code.
Line 28: Line 20:
  
 
|-
 
|-
 
 
 
 
| avc_av_stats
 
| avc_av_stats
 
| Log AV table statistics.
 
| Log AV table statistics.
Line 38: Line 27:
  
 
|-
 
|-
 
 
 
 
| avc_cache_stats
 
| avc_cache_stats
 
| Get cache access statistics.
 
| Get cache access statistics.
Line 48: Line 34:
  
 
|-
 
|-
 
 
 
 
| avc_cleanup
 
| avc_cleanup
 
| Remove unused SIDs and AVC entries.
 
| Remove unused SIDs and AVC entries.
Line 58: Line 41:
  
 
|-
 
|-
 
 
 
 
| avc_compute_create
 
| avc_compute_create
 
| Compute SID for labeling a new object.
 
| Compute SID for labeling a new object.
  
Call the security server to obtain a context for labeling a new object. Look up the context in the SID table, making a new entry if not found. Increment the reference counter for the SID. Store a pointer to the SID structure into the memory referenced by @newsid, returning %0 on success or -%1 on error with @errno set.
+
Call the security server to obtain a context for labeling a new object. Look up the context in the SID table, making a new entry if not found. Store a pointer to the SID structure into the memory referenced by @newsid, returning %0 on success or -%1 on error with @errno set.
 
| avc.h
 
| avc.h
  
 
|-
 
|-
 
 
 
 
| avc_compute_member
 
| avc_compute_member
 
| Compute SID for polyinstantation.
 
| Compute SID for polyinstantation.
  
Call the security server to obtain a context for labeling an object instance. Look up the context in the SID table, making a new entry if not found. Increment the reference counter for the SID. Store a pointer to the SID structure into the memory referenced by @newsid, returning %0 on success or -%1 on error with @errno set.
+
Call the security server to obtain a context for labeling an object instance. Look up the context in the SID table, making a new entry if not found. Store a pointer to the SID structure into the memory referenced by @newsid, returning %0 on success or -%1 on error with @errno set.
 
| avc.h
 
| avc.h
  
 
|-
 
|-
 
 
 
 
| avc_context_to_sid
 
| avc_context_to_sid
  
 
avc_context_to_sid_raw
 
avc_context_to_sid_raw
| Get SID for context. Look up security context @ctx in SID table, making a new entry if @ctx is not found. Increment the reference counter for the SID. Store a pointer to the SID structure into the memory referenced by @sid,returning %0 on success or -%1 on error with @errno set.
+
| Get SID for context. Look up security context @ctx in SID table, making a new entry if @ctx is not found. Store a pointer to the SID structure into the memory referenced by @sid,returning %0 on success or -%1 on error with @errno set.
 
| avc.h
 
| avc.h
  
 
|-
 
|-
 
 
 
 
| avc_destroy
 
| avc_destroy
 
| Free all AVC structures.
 
| Free all AVC structures.
Line 98: Line 69:
  
 
|-
 
|-
 
 
 
 
| avc_entry_ref_init
 
| avc_entry_ref_init
 
| Initialize an AVC entry reference.
 
| Initialize an AVC entry reference.
Line 108: Line 76:
  
 
|-
 
|-
 
 
 
 
| avc_get_initial_sid
 
| avc_get_initial_sid
 
| Get SID for an initial kernel security identifier.
 
| Get SID for an initial kernel security identifier.
Line 118: Line 83:
  
 
|-
 
|-
 
 
 
 
| avc_has_perm
 
| avc_has_perm
 
| Check permissions and perform any appropriate auditing.
 
| Check permissions and perform any appropriate auditing.
Line 128: Line 90:
  
 
|-
 
|-
 
 
 
 
| avc_has_perm_noaudit
 
| avc_has_perm_noaudit
 
| Check permissions but perform no auditing. Check the AVC to determine whether the @requested permissions are granted for the SID pair (@ssid, @tsid), interpreting the permissions based on @tclass, and call the security server on a cache miss to obtain a new decision and add it to the cache. Update @aeref to refer to an AVC entry with the resulting decisions, and return a copy of the decisions in @avd. Return %0 if all @requested permissions are granted, -%1 with @errno set to %EACCES if any permissions are denied, or to another value upon other errors. This function is typically called by avc_has_perm(), but may also be called directly to separate permission checking from auditing, e.g. in cases where a lock must be held for the check but should be released for the auditing.
 
| Check permissions but perform no auditing. Check the AVC to determine whether the @requested permissions are granted for the SID pair (@ssid, @tsid), interpreting the permissions based on @tclass, and call the security server on a cache miss to obtain a new decision and add it to the cache. Update @aeref to refer to an AVC entry with the resulting decisions, and return a copy of the decisions in @avd. Return %0 if all @requested permissions are granted, -%1 with @errno set to %EACCES if any permissions are denied, or to another value upon other errors. This function is typically called by avc_has_perm(), but may also be called directly to separate permission checking from auditing, e.g. in cases where a lock must be held for the check but should be released for the auditing.
Line 136: Line 95:
  
 
|-
 
|-
 +
| avc_init (depreciated)
 +
| Legacy userspace SELinux AVC setup - use <tt>avc_open</tt>.
  
 
+
Initialize the access vector cache. Return %0 on success or -%1 with @errno set on failure. If @msgprefix is NULL, uses "uavc". If any callback structure references are NULL, use default methods for those callbacks (see the definition of the callback structures).
 
+
| avc_init
+
| Initialize the AVC. Initialize the access vector cache. Return %0 on success or -%1 with @errno set on failure. If @msgprefix is NULL, use "uavc". If any callback structure references are NULL, use default methods for those callbacks (see the definition of the callback structures).
+
 
| avc.h
 
| avc.h
  
 
|-
 
|-
 
 
 
 
| avc_netlink_acquire_fd
 
| avc_netlink_acquire_fd
 
| Create a netlink socket and connect to the kernel.
 
| Create a netlink socket and connect to the kernel.
Line 152: Line 107:
  
 
|-
 
|-
 
 
 
 
| avc_netlink_check_nb
 
| avc_netlink_check_nb
 
| Wait for netlink messages from the kernel.
 
| Wait for netlink messages from the kernel.
Line 160: Line 112:
  
 
|-
 
|-
 
 
 
 
| avc_netlink_close
 
| avc_netlink_close
 
| Close the netlink socket.
 
| Close the netlink socket.
Line 168: Line 117:
  
 
|-
 
|-
 
 
 
 
| avc_netlink_loop
 
| avc_netlink_loop
 
| Acquire netlink socket fd. Allows the application to manage messages from the netlink socket in its own main loop.
 
| Acquire netlink socket fd. Allows the application to manage messages from the netlink socket in its own main loop.
Line 176: Line 122:
  
 
|-
 
|-
 
 
 
 
| avc_netlink_open
 
| avc_netlink_open
 
| Release netlink socket fd. Returns ownership of the netlink socket to the library.
 
| Release netlink socket fd. Returns ownership of the netlink socket to the library.
Line 184: Line 127:
  
 
|-
 
|-
 
 
 
 
| avc_netlink_release_fd
 
| avc_netlink_release_fd
 
| Check netlink socket for new messages. Called by the application when using <tt>avc_netlink_acquire_fd()</tt> to process kernel netlink events.
 
| Check netlink socket for new messages. Called by the application when using <tt>avc_netlink_acquire_fd()</tt> to process kernel netlink events.
Line 192: Line 132:
  
 
|-
 
|-
 
 
 
 
| avc_open
 
| avc_open
| Initialize the AVC. This function is identical to avc_init() except the message prefix is set to ``avc'' and any callbacks desired should be specified via selinux_set_callback().
+
| Initialize the AVC. This function is identical to avc_init() except the message prefix is set to “avc” and any callbacks desired should be specified via selinux_set_callback(). It is possible to set enforcing mode using <tt>AVC_OPT_SETENFORCE</tt>, this will override the kernel setting.
 
| avc.h
 
| avc.h
  
 
|-
 
|-
 
 
 
 
| avc_reset
 
| avc_reset
 
| Flush the cache and reset statistics. Remove all entries from the cache and reset all access statistics (as returned by avc_cache_stats()) to zero. The SID mapping is not affected. Return %0 on success, -%1 with @errno set on error.
 
| Flush the cache and reset statistics. Remove all entries from the cache and reset all access statistics (as returned by avc_cache_stats()) to zero. The SID mapping is not affected. Return %0 on success, -%1 with @errno set on error.
Line 208: Line 142:
  
 
|-
 
|-
 
 
 
 
| avc_sid_stats
 
| avc_sid_stats
 
| Log SID table statistics. Log a message with information about the size and distribution of the SID table. The audit callback is used to print the message.
 
| Log SID table statistics. Log a message with information about the size and distribution of the SID table. The audit callback is used to print the message.
Line 216: Line 147:
  
 
|-
 
|-
 
 
 
 
| avc_sid_to_context
 
| avc_sid_to_context
  
Line 226: Line 154:
  
 
|-
 
|-
 
+
| checkPasswdAccess (depreciated)
 
+
 
+
| checkPasswdAccess
+
 
| Check a permission in the passwd class. Return 0 if granted or -1 otherwise.
 
| Check a permission in the passwd class. Return 0 if granted or -1 otherwise.
 
| selinux.h
 
| selinux.h
  
 
|-
 
|-
 
 
 
 
| context_free
 
| context_free
 
| Free the storage used by a context.
 
| Free the storage used by a context.
Line 242: Line 164:
  
 
|-
 
|-
 
 
 
 
| context_new
 
| context_new
 
| Return a new context initialized to a context string.
 
| Return a new context initialized to a context string.
Line 250: Line 169:
  
 
|-
 
|-
 
 
 
 
| context_range_get
 
| context_range_get
 
| Get a pointer to the range.
 
| Get a pointer to the range.
Line 258: Line 174:
  
 
|-
 
|-
 
 
 
 
| context_range_set
 
| context_range_set
 
| Set the range component. Returns nonzero if unsuccessful.
 
| Set the range component. Returns nonzero if unsuccessful.
Line 266: Line 179:
  
 
|-
 
|-
 
 
 
 
| context_role_get
 
| context_role_get
 
| Get a pointer to the role.
 
| Get a pointer to the role.
Line 274: Line 184:
  
 
|-
 
|-
 
 
 
 
| context_role_set
 
| context_role_set
 
| Set the role component. Returns nonzero if unsuccessful.
 
| Set the role component. Returns nonzero if unsuccessful.
Line 282: Line 189:
  
 
|-
 
|-
 
 
 
 
| context_str
 
| context_str
 
| Return a pointer to the string value of context_t. Valid until the next call to context_str or context_free for the same context_t*.
 
| Return a pointer to the string value of context_t. Valid until the next call to context_str or context_free for the same context_t*.
Line 290: Line 194:
  
 
|-
 
|-
 
 
 
 
| context_type_get
 
| context_type_get
 
| Get a pointer to the type.
 
| Get a pointer to the type.
Line 298: Line 199:
  
 
|-
 
|-
 
 
 
 
| context_type_set
 
| context_type_set
 
| Set the type component. Returns nonzero if unsuccessful.
 
| Set the type component. Returns nonzero if unsuccessful.
Line 306: Line 204:
  
 
|-
 
|-
 
 
 
 
| context_user_get
 
| context_user_get
 
| Get a pointer to the user.
 
| Get a pointer to the user.
Line 314: Line 209:
  
 
|-
 
|-
 
 
 
 
| context_user_set
 
| context_user_set
 
| Set the user component. Returns nonzero if unsuccessful.
 
| Set the user component. Returns nonzero if unsuccessful.
Line 322: Line 214:
  
 
|-
 
|-
 
 
 
 
| fgetfilecon
 
| fgetfilecon
  
Line 332: Line 221:
  
 
|-
 
|-
 +
| fini_selinuxmnt
 +
| Deinitialises the global variable selinux_mnt to the selinuxfs mountpoint.
 +
|
  
 
+
|-
 
+
 
| freecon
 
| freecon
 
| Free the memory allocated for a context by any of the get* calls.
 
| Free the memory allocated for a context by any of the get* calls.
Line 340: Line 231:
  
 
|-
 
|-
 
 
 
 
| freeconary
 
| freeconary
 
| Free the memory allocated for a context array by security_compute_user.
 
| Free the memory allocated for a context array by security_compute_user.
Line 348: Line 236:
  
 
|-
 
|-
 
 
 
 
| fsetfilecon
 
| fsetfilecon
  
Line 358: Line 243:
  
 
|-
 
|-
 
 
 
 
| get_default_context
 
| get_default_context
 
| Get the default security context for a user session for 'user' spawned by 'fromcon' and set <nowiki>*newcon</nowiki> to refer to it. The context will be one of those authorized by the policy, but the selection of a default is subject to user customizable preferences. If 'fromcon' is NULL, defaults to current context. Returns 0 on success or -1 otherwise. Caller must free via freecon.  
 
| Get the default security context for a user session for 'user' spawned by 'fromcon' and set <nowiki>*newcon</nowiki> to refer to it. The context will be one of those authorized by the policy, but the selection of a default is subject to user customizable preferences. If 'fromcon' is NULL, defaults to current context. Returns 0 on success or -1 otherwise. Caller must free via freecon.  
Line 366: Line 248:
  
 
|-
 
|-
 
 
 
 
| get_default_context_with_level
 
| get_default_context_with_level
 
| Same as get_default_context, but use the provided MLS level rather than the default level for the user.  
 
| Same as get_default_context, but use the provided MLS level rather than the default level for the user.  
Line 374: Line 253:
  
 
|-
 
|-
 
 
 
 
| get_default_context_with_role
 
| get_default_context_with_role
 
| Same as get_default_context, but only return a context that has the specified role.
 
| Same as get_default_context, but only return a context that has the specified role.
Line 382: Line 258:
  
 
|-
 
|-
 
 
 
 
| get_default_context_with_rolelevel
 
| get_default_context_with_rolelevel
 
| Same as get_default_context, but only return a context that has the specified role and level.
 
| Same as get_default_context, but only return a context that has the specified role and level.
Line 390: Line 263:
  
 
|-
 
|-
 
 
 
 
| get_default_type
 
| get_default_type
 
| Get the default type (domain) for 'role' and set 'type' to refer to it. Caller must free via free(). Return 0 on success or -1 otherwise.  
 
| Get the default type (domain) for 'role' and set 'type' to refer to it. Caller must free via free(). Return 0 on success or -1 otherwise.  
Line 398: Line 268:
  
 
|-
 
|-
 
 
 
 
| get_ordered_context_list
 
| get_ordered_context_list
 
| Get an ordered list of authorized security contexts for a user session for 'user' spawned by 'fromcon' and set <nowiki>*conary</nowiki> to refer to the NULL-terminated array of contexts. Every entry in the list will be authorized by the policy, but the ordering is subject to user customizable preferences. Returns number of entries in <nowiki>*conary</nowiki>. If 'fromcon' is NULL, defaults to current context. Caller must free via freeconary.
 
| Get an ordered list of authorized security contexts for a user session for 'user' spawned by 'fromcon' and set <nowiki>*conary</nowiki> to refer to the NULL-terminated array of contexts. Every entry in the list will be authorized by the policy, but the ordering is subject to user customizable preferences. Returns number of entries in <nowiki>*conary</nowiki>. If 'fromcon' is NULL, defaults to current context. Caller must free via freeconary.
Line 406: Line 273:
  
 
|-
 
|-
 
 
 
 
| get_ordered_context_list_with_level
 
| get_ordered_context_list_with_level
 
| Same as get_ordered_context_list, but use the provided MLS level rather than the default level for the user.
 
| Same as get_ordered_context_list, but use the provided MLS level rather than the default level for the user.
Line 414: Line 278:
  
 
|-
 
|-
 
 
 
 
| getcon
 
| getcon
  
Line 424: Line 285:
  
 
|-
 
|-
 
 
 
 
| getexeccon
 
| getexeccon
  
Line 434: Line 292:
  
 
|-
 
|-
 
 
 
 
| getfilecon
 
| getfilecon
  
Line 444: Line 299:
  
 
|-
 
|-
 
 
 
 
| getfscreatecon
 
| getfscreatecon
  
Line 454: Line 306:
  
 
|-
 
|-
 
 
 
 
| getkeycreatecon
 
| getkeycreatecon
  
Line 464: Line 313:
  
 
|-
 
|-
 
 
 
 
| getpeercon
 
| getpeercon
  
Line 474: Line 320:
  
 
|-
 
|-
 
 
 
 
| getpidcon
 
| getpidcon
  
Line 484: Line 327:
  
 
|-
 
|-
 
 
 
 
| getprevcon
 
| getprevcon
  
Line 494: Line 334:
  
 
|-
 
|-
 
 
 
 
| getseuser
 
| getseuser
 
| Get the SELinux username and level to use for a given Linux username and service. These values may then be passed into the get_ordered_context_list* and get_default_context* functions to obtain a context for the user. Returns 0 on success or -1 otherwise. Caller must free the returned strings via free().
 
| Get the SELinux username and level to use for a given Linux username and service. These values may then be passed into the get_ordered_context_list* and get_default_context* functions to obtain a context for the user. Returns 0 on success or -1 otherwise. Caller must free the returned strings via free().
Line 502: Line 339:
  
 
|-
 
|-
 
 
 
 
| getseuserbyname
 
| getseuserbyname
 
| Get the SELinux username and level to use for a given Linux username. These values may then be passed into the get_ordered_context_list* and get_default_context* functions to obtain a context for the user. Returns 0 on success or -1 otherwise. Caller must free the returned strings via free().
 
| Get the SELinux username and level to use for a given Linux username. These values may then be passed into the get_ordered_context_list* and get_default_context* functions to obtain a context for the user. Returns 0 on success or -1 otherwise. Caller must free the returned strings via free().
Line 510: Line 344:
  
 
|-
 
|-
 
 
 
 
| getsockcreatecon
 
| getsockcreatecon
  
Line 520: Line 351:
  
 
|-
 
|-
 +
| init_selinuxmnt
 +
| Initialises the global variable selinux_mnt to the selinuxfs mountpoint.
 +
|
  
 
+
|-
 
+
 
| is_context_customizable
 
| is_context_customizable
 
| Returns whether a file context is customizable, and should not be relabeled.
 
| Returns whether a file context is customizable, and should not be relabeled.
Line 528: Line 361:
  
 
|-
 
|-
 
 
 
 
| is_selinux_enabled
 
| is_selinux_enabled
 
| Return 1 if running on a SELinux kernel, or 0 if not or -1 for error.
 
| Return 1 if running on a SELinux kernel, or 0 if not or -1 for error.
Line 536: Line 366:
  
 
|-
 
|-
 
 
 
 
| is_selinux_mls_enabled
 
| is_selinux_mls_enabled
 
| Return 1 if we are running on a SELinux MLS kernel, or 0 otherwise.
 
| Return 1 if we are running on a SELinux MLS kernel, or 0 otherwise.
Line 544: Line 371:
  
 
|-
 
|-
 
 
 
 
| lgetfilecon
 
| lgetfilecon
  
Line 554: Line 378:
  
 
|-
 
|-
 
 
 
 
| lsetfilecon
 
| lsetfilecon
  
Line 564: Line 385:
  
 
|-
 
|-
 
 
 
 
| manual_user_enter_context
 
| manual_user_enter_context
 
| Allow the user to manually enter a context as a fallback if a list of authorized contexts could not be obtained. Caller must free via freecon. Returns 0 on success or -1 otherwise.  
 
| Allow the user to manually enter a context as a fallback if a list of authorized contexts could not be obtained. Caller must free via freecon. Returns 0 on success or -1 otherwise.  
Line 572: Line 390:
  
 
|-
 
|-
 
 
 
 
| matchmediacon
 
| matchmediacon
 
| Match the specified media and against the media contexts configuration and set <nowiki>*con</nowiki> to refer to the resulting context. Caller must free con via freecon.
 
| Match the specified media and against the media contexts configuration and set <nowiki>*con</nowiki> to refer to the resulting context. Caller must free con via freecon.
Line 580: Line 395:
  
 
|-
 
|-
 
 
 
 
| matchpathcon
 
| matchpathcon
 
| Match the specified pathname and mode against the file context sconfiguration and set <nowiki>*con</nowiki> to refer to the resulting context.'mode' can be 0 to disable mode matching. Caller must free via freecon. If matchpathcon_init has not already been called, then this function will call it upon its first invocation with a NULL path.
 
| Match the specified pathname and mode against the file context sconfiguration and set <nowiki>*con</nowiki> to refer to the resulting context.'mode' can be 0 to disable mode matching. Caller must free via freecon. If matchpathcon_init has not already been called, then this function will call it upon its first invocation with a NULL path.
Line 588: Line 400:
  
 
|-
 
|-
 
 
 
 
| matchpathcon_checkmatches
 
| matchpathcon_checkmatches
 
| Check to see whether any specifications had no matches and report them. The 'str' is used as a prefix for any warning messages.
 
| Check to see whether any specifications had no matches and report them. The 'str' is used as a prefix for any warning messages.
Line 596: Line 405:
  
 
|-
 
|-
 
 
 
 
| matchpathcon_filespec_add
 
| matchpathcon_filespec_add
 
| Maintain an association between an inode and a specification index, and check whether a conflicting specification is already associated with the same inode (e.g. due to multiple hard links). If so, then use the latter of the two specifications based on their order in the file contexts configuration. Return the used specification index.  
 
| Maintain an association between an inode and a specification index, and check whether a conflicting specification is already associated with the same inode (e.g. due to multiple hard links). If so, then use the latter of the two specifications based on their order in the file contexts configuration. Return the used specification index.  
Line 604: Line 410:
  
 
|-
 
|-
 
 
 
 
| matchpathcon_filespec_destroy
 
| matchpathcon_filespec_destroy
 
| Destroy any inode associations that have been added, e.g. to restart for a new filesystem.  
 
| Destroy any inode associations that have been added, e.g. to restart for a new filesystem.  
Line 612: Line 415:
  
 
|-
 
|-
 
 
 
 
| matchpathcon_filespec_eval
 
| matchpathcon_filespec_eval
 
| Display statistics on the hash table usage for the associations.
 
| Display statistics on the hash table usage for the associations.
Line 620: Line 420:
  
 
|-
 
|-
 
 
 
 
| matchpathcon_fini
 
| matchpathcon_fini
 
| Free the memory allocated by matchpathcon_init.
 
| Free the memory allocated by matchpathcon_init.
Line 628: Line 425:
  
 
|-
 
|-
 
 
 
 
| matchpathcon_index  
 
| matchpathcon_index  
| Same as ‘matchpathcon’, but return a specification index for later use in a matchpathcon_filespec_add() call.
+
| Same as matchpathcon, but return a specification index for later use in a matchpathcon_filespec_add() call.
 
| selinux.h
 
| selinux.h
  
 
|-
 
|-
 
 
 
 
| matchpathcon_init
 
| matchpathcon_init
 
| Load the file contexts configuration specified by 'path' into memory for use by subsequent matchpathcon calls. If 'path' is NULL, then load the active file contexts configuration, i.e. the path returned by selinux_file_context_path(). Unless the MATCHPATHCON_BASEONLY flag has been set, this function also checks for a 'path'.homedirs file and a 'path'.local file and loads additional specifications from them if present.
 
| Load the file contexts configuration specified by 'path' into memory for use by subsequent matchpathcon calls. If 'path' is NULL, then load the active file contexts configuration, i.e. the path returned by selinux_file_context_path(). Unless the MATCHPATHCON_BASEONLY flag has been set, this function also checks for a 'path'.homedirs file and a 'path'.local file and loads additional specifications from them if present.
Line 644: Line 435:
  
 
|-
 
|-
 
 
 
 
| matchpathcon_init_prefix
 
| matchpathcon_init_prefix
 
| Same as matchpathcon_init, but only load entries with regexes that have stems that are prefixes of 'prefix'.
 
| Same as matchpathcon_init, but only load entries with regexes that have stems that are prefixes of 'prefix'.
Line 652: Line 440:
  
 
|-
 
|-
 
 
 
 
| print_access_vector
 
| print_access_vector
 
| Display an access vector in a string representation.
 
| Display an access vector in a string representation.
Line 660: Line 445:
  
 
|-
 
|-
 
 
 
 
| query_user_context
 
| query_user_context
 
| Given a list of authorized security contexts for the user, query the user to select one and set <nowiki>*newcon</nowiki> to refer to it. Caller must free via freecon. Returns 0 on sucess or -1 otherwise.  
 
| Given a list of authorized security contexts for the user, query the user to select one and set <nowiki>*newcon</nowiki> to refer to it. Caller must free via freecon. Returns 0 on sucess or -1 otherwise.  
Line 668: Line 450:
  
 
|-
 
|-
 
 
 
 
| rpm_execcon
 
| rpm_execcon
 
| Execute a helper for rpm in an appropriate security context.
 
| Execute a helper for rpm in an appropriate security context.
Line 676: Line 455:
  
 
|-
 
|-
 
 
 
 
| security_av_perm_to_string
 
| security_av_perm_to_string
 
| Convert access vector permissions to string names.
 
| Convert access vector permissions to string names.
Line 684: Line 460:
  
 
|-
 
|-
 
 
 
 
| security_av_string
 
| security_av_string
 
| Returns an access vector in a string representation. User must free the returned string via free().
 
| Returns an access vector in a string representation. User must free the returned string via free().
Line 692: Line 465:
  
 
|-
 
|-
 
 
 
 
| security_canonicalize_context
 
| security_canonicalize_context
  
Line 702: Line 472:
  
 
|-
 
|-
 
 
 
 
| security_check_context
 
| security_check_context
  
Line 712: Line 479:
  
 
|-
 
|-
 
 
 
 
| security_class_to_string
 
| security_class_to_string
 
| Convert security class values to string names.
 
| Convert security class values to string names.
Line 720: Line 484:
  
 
|-
 
|-
 
 
 
 
| security_commit_booleans
 
| security_commit_booleans
 
| Commit the pending values for the booleans.
 
| Commit the pending values for the booleans.
Line 728: Line 489:
  
 
|-
 
|-
 
 
 
 
| security_compute_av
 
| security_compute_av
  
Line 738: Line 496:
  
 
|-
 
|-
 +
| security_compute_av_flags
  
 +
security_compute_av_flags_raw
 +
|
 +
| selinux.h
  
 
+
|-
 
| security_compute_create
 
| security_compute_create
  
Line 748: Line 510:
  
 
|-
 
|-
 
 
 
 
| security_compute_member
 
| security_compute_member
  
Line 758: Line 517:
  
 
|-
 
|-
 
 
 
 
| security_compute_relabel
 
| security_compute_relabel
  
Line 768: Line 524:
  
 
|-
 
|-
 
 
 
 
| security_compute_user
 
| security_compute_user
  
Line 778: Line 531:
  
 
|-
 
|-
 +
| security_deny_unknown
 +
| Get the behavior for undefined classes / permissions.
 +
| selinux.h
  
 
+
|-
 
+
 
| security_disable
 
| security_disable
 
| Disable SELinux at runtime (must be done prior to initial policy load).
 
| Disable SELinux at runtime (must be done prior to initial policy load).
Line 786: Line 541:
  
 
|-
 
|-
 
 
 
 
| security_get_boolean_active
 
| security_get_boolean_active
 
| Get the active value for the boolean.
 
| Get the active value for the boolean.
Line 794: Line 546:
  
 
|-
 
|-
 
 
 
 
| security_get_boolean_names
 
| security_get_boolean_names
 
| Get the boolean names
 
| Get the boolean names
Line 802: Line 551:
  
 
|-
 
|-
 
 
 
 
| security_get_boolean_pending
 
| security_get_boolean_pending
 
| Get the pending value for the boolean.
 
| Get the pending value for the boolean.
Line 810: Line 556:
  
 
|-
 
|-
 
 
 
 
| security_get_initial_context
 
| security_get_initial_context
  
Line 820: Line 563:
  
 
|-
 
|-
 
 
 
 
| security_getenforce
 
| security_getenforce
 
| Get the enforce flag value.
 
| Get the enforce flag value.
Line 828: Line 568:
  
 
|-
 
|-
 
 
 
 
| security_load_booleans
 
| security_load_booleans
 
| Load policy boolean settings. Path may be NULL, in which case the booleans are loaded from the active policy boolean configuration file.
 
| Load policy boolean settings. Path may be NULL, in which case the booleans are loaded from the active policy boolean configuration file.
Line 836: Line 573:
  
 
|-
 
|-
 
 
 
 
| security_load_policy
 
| security_load_policy
 
| Load a policy configuration.
 
| Load a policy configuration.
Line 844: Line 578:
  
 
|-
 
|-
 +
| '''selinux_mkload_policy'''
 +
| Make a policy image and load it. This is a higher level interface for loading policy than <tt>security_load_policy</tt>.
 +
| selinux.h
  
 
+
|-
 
+
 
| security_policyvers
 
| security_policyvers
 
| Get the policy version number.
 
| Get the policy version number.
Line 852: Line 588:
  
 
|-
 
|-
 
 
 
 
| security_set_boolean
 
| security_set_boolean
 
| Set the pending value for the boolean.
 
| Set the pending value for the boolean.
Line 860: Line 593:
  
 
|-
 
|-
 
 
 
 
| security_set_boolean_list
 
| security_set_boolean_list
 
| Save a list of booleans in a single transaction.
 
| Save a list of booleans in a single transaction.
Line 868: Line 598:
  
 
|-
 
|-
 
 
 
 
| security_setenforce
 
| security_setenforce
 
| Set the enforce flag value.
 
| Set the enforce flag value.
Line 876: Line 603:
  
 
|-
 
|-
 
 
 
 
| selabel_close
 
| selabel_close
 
| Destroy the specified handle, closing files, freeing allocated memory, etc. The handle may not be further used after it has been closed.
 
| Destroy the specified handle, closing files, freeing allocated memory, etc. The handle may not be further used after it has been closed.
Line 884: Line 608:
  
 
|-
 
|-
 
 
 
 
| selabel_lookup
 
| selabel_lookup
  
Line 894: Line 615:
  
 
|-
 
|-
 
 
 
 
| selabel_open
 
| selabel_open
 
| Create a labeling handle.
 
| Create a labeling handle.
Line 907: Line 625:
  
 
SELABEL_CTX_X - x_contexts.
 
SELABEL_CTX_X - x_contexts.
 +
 +
SELABEL_CTX_DB - pgsql_contexts.
  
 
Options may be provided via the opts parameter; available options are:
 
Options may be provided via the opts parameter; available options are:
Line 924: Line 644:
  
 
|-
 
|-
 
 
 
 
| selabel_stats
 
| selabel_stats
 
| Log a message with information about the number of queries performed, number of unused matching entries, or other operational statistics. Message is backend-specific, some backends may not output a message.
 
| Log a message with information about the number of queries performed, number of unused matching entries, or other operational statistics. Message is backend-specific, some backends may not output a message.
Line 932: Line 649:
  
 
|-
 
|-
 
 
 
 
| selinux_binary_policy_path
 
| selinux_binary_policy_path
 
| Return path to the binary policy file under the policy root directory.
 
| Return path to the binary policy file under the policy root directory.
Line 940: Line 654:
  
 
|-
 
|-
 
 
 
 
| selinux_booleans_path
 
| selinux_booleans_path
 
| Return path to the booleans file under the policy root directory.
 
| Return path to the booleans file under the policy root directory.
Line 948: Line 659:
  
 
|-
 
|-
 
 
 
 
| selinux_check_passwd_access
 
| selinux_check_passwd_access
 
| Check a permission in the passwd class. Return 0 if granted or -1 otherwise.
 
| Check a permission in the passwd class. Return 0 if granted or -1 otherwise.
Line 956: Line 664:
  
 
|-
 
|-
 
 
 
 
| selinux_check_securetty_context  
 
| selinux_check_securetty_context  
 
| Check if the tty_context is defined as a securetty<nowiki>. Return 0 if secure, < 0 otherwise.</nowiki>
 
| Check if the tty_context is defined as a securetty<nowiki>. Return 0 if secure, < 0 otherwise.</nowiki>
Line 964: Line 669:
  
 
|-
 
|-
 
 
 
 
| selinux_colors_path
 
| selinux_colors_path
 
| Return path to file under the policy root directory.
 
| Return path to file under the policy root directory.
Line 972: Line 674:
  
 
|-
 
|-
 
 
 
 
| selinux_contexts_path
 
| selinux_contexts_path
 
| Return path to contexts directory under the policy root directory.
 
| Return path to contexts directory under the policy root directory.
Line 980: Line 679:
  
 
|-
 
|-
 
 
 
 
| selinux_customizable_types_path
 
| selinux_customizable_types_path
 
| Return path to customizable_types file under the policy root directory.
 
| Return path to customizable_types file under the policy root directory.
Line 988: Line 684:
  
 
|-
 
|-
 
 
 
 
| selinux_default_context_path
 
| selinux_default_context_path
 
| Return path to default_context file under the policy root directory.
 
| Return path to default_context file under the policy root directory.
Line 996: Line 689:
  
 
|-
 
|-
 +
| selinux_default_type_path
 +
| Return path to default type file.
 +
| get_default_type.h
  
 
+
|-
 
+
 
| selinux_failsafe_context_path
 
| selinux_failsafe_context_path
 
| Return path to failsafe_context file under the policy root directory.
 
| Return path to failsafe_context file under the policy root directory.
Line 1,004: Line 699:
  
 
|-
 
|-
 
 
 
 
| selinux_file_context_cmp
 
| selinux_file_context_cmp
 
| Compare two file contexts, return 0 if equivalent.
 
| Compare two file contexts, return 0 if equivalent.
Line 1,012: Line 704:
  
 
|-
 
|-
 
 
 
 
| selinux_file_context_homedir_path
 
| selinux_file_context_homedir_path
 
| Return path to file under the policy root directory.
 
| Return path to file under the policy root directory.
Line 1,020: Line 709:
  
 
|-
 
|-
 
 
 
 
| selinux_file_context_local_path
 
| selinux_file_context_local_path
 
| Return path to file under the policy root directory.
 
| Return path to file under the policy root directory.
Line 1,028: Line 714:
  
 
|-
 
|-
 
 
 
 
| selinux_file_context_path
 
| selinux_file_context_path
 
| Return path to file under the policy root directory.
 
| Return path to file under the policy root directory.
Line 1,036: Line 719:
  
 
|-
 
|-
 +
| selinux_file_context_subs_path
 +
| Return path to file under the policy root directory.
 +
| selinux.h
  
 
+
|-
 
+
 
| selinux_file_context_verify
 
| selinux_file_context_verify
 
| Verify the context of the file 'path' against policy. Return 0 if correct.
 
| Verify the context of the file 'path' against policy. Return 0 if correct.
Line 1,044: Line 729:
  
 
|-
 
|-
 
 
 
 
| selinux_getenforcemode
 
| selinux_getenforcemode
 
| Reads the /etc/selinux/config file and determines whether the machine should be started in enforcing (1), permissive (0) or disabled (-1) mode.  
 
| Reads the /etc/selinux/config file and determines whether the machine should be started in enforcing (1), permissive (0) or disabled (-1) mode.  
Line 1,052: Line 734:
  
 
|-
 
|-
 
 
 
 
| selinux_getpolicytype
 
| selinux_getpolicytype
 
| Reads the /<tt>etc/selinux/config</tt> file and determines what the default policy for the machine is. Calling application must free policytype.
 
| Reads the /<tt>etc/selinux/config</tt> file and determines what the default policy for the machine is. Calling application must free policytype.
Line 1,060: Line 739:
  
 
|-
 
|-
 
 
 
 
| selinux_homedir_context_path
 
| selinux_homedir_context_path
 
| Return path to file under the policy root directory.
 
| Return path to file under the policy root directory.
Line 1,068: Line 744:
  
 
|-
 
|-
 
 
 
 
| selinux_init_load_policy
 
| selinux_init_load_policy
 
| Perform the initial policy load.
 
| Perform the initial policy load.
Line 1,080: Line 753:
  
 
|-
 
|-
 
 
 
 
| selinux_lsetfilecon_default
 
| selinux_lsetfilecon_default
 
| This function sets the file context on to the system defaults returns 0 on success.
 
| This function sets the file context on to the system defaults returns 0 on success.
Line 1,088: Line 758:
  
 
|-
 
|-
 
 
 
 
| selinux_media_context_path
 
| selinux_media_context_path
 
| Return path to file under the policy root directory.
 
| Return path to file under the policy root directory.
Line 1,096: Line 763:
  
 
|-
 
|-
 
 
 
 
| selinux_mkload_policy
 
| selinux_mkload_policy
 
| Make a policy image and load it.  
 
| Make a policy image and load it.  
Line 1,108: Line 772:
  
 
|-
 
|-
 
 
 
 
| selinux_netfilter_context_path
 
| selinux_netfilter_context_path
 
| Returns path to the netfilter_context file under the policy root directory.
 
| Returns path to the netfilter_context file under the policy root directory.
Line 1,116: Line 777:
  
 
|-
 
|-
 
 
 
 
| selinux_path
 
| selinux_path
 
| Returns path to the policy root directory.
 
| Returns path to the policy root directory.
Line 1,124: Line 782:
  
 
|-
 
|-
 
 
 
 
| selinux_policy_root
 
| selinux_policy_root
 
| Reads the /etc/selinux/config file and returns the top level directory.
 
| Reads the /etc/selinux/config file and returns the top level directory.
Line 1,132: Line 787:
  
 
|-
 
|-
 
 
 
 
| selinux_raw_context_to_color
 
| selinux_raw_context_to_color
 
| Perform context translation between security contexts and display colors. Returns a space-separated list of ten ten hex RGB triples prefixed by hash marks, e.g. "<nowiki>#ff0000</nowiki>". Caller must free the resulting string via free(). Returns -1 upon an error or 0 otherwise.
 
| Perform context translation between security contexts and display colors. Returns a space-separated list of ten ten hex RGB triples prefixed by hash marks, e.g. "<nowiki>#ff0000</nowiki>". Caller must free the resulting string via free(). Returns -1 upon an error or 0 otherwise.
Line 1,140: Line 792:
  
 
|-
 
|-
 
 
 
 
| selinux_raw_to_trans_context
 
| selinux_raw_to_trans_context
 
| Perform context translation between the human-readable format ("translated") and the internal system format ("raw"). Caller must free the resulting context via freecon. Returns -1 upon an error or 0 otherwise. If passed NULL, sets the returned context to NULL and returns 0.
 
| Perform context translation between the human-readable format ("translated") and the internal system format ("raw"). Caller must free the resulting context via freecon. Returns -1 upon an error or 0 otherwise. If passed NULL, sets the returned context to NULL and returns 0.
Line 1,148: Line 797:
  
 
|-
 
|-
 
 
 
 
| selinux_removable_context_path
 
| selinux_removable_context_path
 
| Return path to file under the policy root directory.
 
| Return path to file under the policy root directory.
Line 1,156: Line 802:
  
 
|-
 
|-
 +
| selinux_reset_config
 +
| Force a reset of the loaded configuration. Not thread-safe.
 +
| selinux.h
  
 
+
|-
 
+
 
| selinux_securetty_types_path
 
| selinux_securetty_types_path
 
| Return path to the securetty_types file under the policy root directory.
 
| Return path to the securetty_types file under the policy root directory.
Line 1,164: Line 812:
  
 
|-
 
|-
 +
| selinux_sepgsql_context_path
 +
| Return path to the <tt>sepgsql_context</tt> file under the policy root directory.
 +
| selinux.h
 +
 +
|-
 +
| selinux_set_callback
 +
| Sets up a call back for the following events:
 +
 +
<tt>SELINUX_CB_LOG</tt> - to add additional info to audit log.
 +
 +
<tt>SELINUX_CB_AUDIT</tt> - to add additional audit info when using calls like <tt>avc_has_perm</tt> that can cause an audit evet to be generated.
  
 +
<tt>SELINUX_CB_VALIDATE</tt> - to validate a context (used by <tt>setfiles</tt> for setting contexts on policies that are not active - see<tt> setfiles.c</tt>).
  
 +
<tt>SELINUX_CB_SETENFORCE</tt> - to run user defined functions whenever the state changes.
  
 +
<tt>SELINUX_CB_POLICYLOAD</tt> - to run user defined functions whenever the policy is reloaded.
 +
| selinux.h
 +
 +
|-
 
| selinux_set_mapping
 
| selinux_set_mapping
 
| Userspace class mapping support.
 
| Userspace class mapping support.
Line 1,172: Line 837:
  
 
|-
 
|-
 
 
 
 
| selinux_trans_to_raw_context
 
| selinux_trans_to_raw_context
 
| Perform context translation between the human-readable format ("translated") and the internal system format ("raw"). Caller must free the resulting context via freecon. Returns -1 upon an error or 0 otherwise. If passed NULL, sets the returned context to NULL and returns 0.
 
| Perform context translation between the human-readable format ("translated") and the internal system format ("raw"). Caller must free the resulting context via freecon. Returns -1 upon an error or 0 otherwise. If passed NULL, sets the returned context to NULL and returns 0.
Line 1,180: Line 842:
  
 
|-
 
|-
 
 
 
 
| selinux_translations_path
 
| selinux_translations_path
 
| Return path to setrans.conf file under the policy root directory.
 
| Return path to setrans.conf file under the policy root directory.
Line 1,188: Line 847:
  
 
|-
 
|-
 
 
 
 
| selinux_user_contexts_path
 
| selinux_user_contexts_path
 
| Return path to file under the policy root directory.
 
| Return path to file under the policy root directory.
Line 1,196: Line 852:
  
 
|-
 
|-
 
 
 
 
| selinux_users_path
 
| selinux_users_path
 
| Return path to file under the policy root directory.
 
| Return path to file under the policy root directory.
Line 1,204: Line 857:
  
 
|-
 
|-
 
 
 
 
| selinux_usersconf_path
 
| selinux_usersconf_path
 
| Return path to file under the policy root directory.
 
| Return path to file under the policy root directory.
Line 1,212: Line 862:
  
 
|-
 
|-
 
 
 
 
| selinux_virtual_domain_context_path
 
| selinux_virtual_domain_context_path
 
| Return path to file under the policy root directory.
 
| Return path to file under the policy root directory.
Line 1,220: Line 867:
  
 
|-
 
|-
 
 
 
 
| selinux_virtual_image_context_path
 
| selinux_virtual_image_context_path
 
| Return path to file under the policy root directory.
 
| Return path to file under the policy root directory.
Line 1,228: Line 872:
  
 
|-
 
|-
 
 
 
 
| selinux_x_context_path
 
| selinux_x_context_path
 
| Return path to x_context file under the policy root directory.
 
| Return path to x_context file under the policy root directory.
Line 1,236: Line 877:
  
 
|-
 
|-
 
 
 
 
| set_matchpathcon_canoncon
 
| set_matchpathcon_canoncon
| Same as ‘set_matchpathcon_invalidcon’, but also allows canonicalization of the context, by changing <nowiki>*context</nowiki> to refer to the canonical form. If not set, and invalidcon is also not set, then this defaults to calling security_canonicalize_context().
+
| Same as set_matchpathcon_invalidcon but also allows canonicalization of the context, by changing <nowiki>*context</nowiki> to refer to the canonical form. If not set, and invalidcon is also not set, then this defaults to calling security_canonicalize_context().
 
| selinux.h
 
| selinux.h
  
 
|-
 
|-
 
 
 
 
| set_matchpathcon_flags
 
| set_matchpathcon_flags
 
| Set flags controlling operation of matchpathcon_init or matchpathcon:  
 
| Set flags controlling operation of matchpathcon_init or matchpathcon:  
Line 1,258: Line 893:
  
 
|-
 
|-
 
 
 
 
| set_matchpathcon_invalidcon
 
| set_matchpathcon_invalidcon
 
| Set the function used by matchpathcon_init when checking the validity of a context in the file_contexts configuration. If not set, then this defaults to a test based on security_check_context(). The function is also responsible for reporting any such error, and may include the 'path' and 'lineno' in such error messages.
 
| Set the function used by matchpathcon_init when checking the validity of a context in the file_contexts configuration. If not set, then this defaults to a test based on security_check_context(). The function is also responsible for reporting any such error, and may include the 'path' and 'lineno' in such error messages.
Line 1,266: Line 898:
  
 
|-
 
|-
 
 
 
 
| set_matchpathcon_printf
 
| set_matchpathcon_printf
 
| Set the function used by matchpathcon_init when displaying errors about the file_contexts configuration. If not set, then this defaults to fprintf(stderr, fmt, ...).
 
| Set the function used by matchpathcon_init when displaying errors about the file_contexts configuration. If not set, then this defaults to fprintf(stderr, fmt, ...).
Line 1,274: Line 903:
  
 
|-
 
|-
 
 
 
 
| set_selinuxmnt  
 
| set_selinuxmnt  
 
| Set the path to the selinuxfs mount point explicitly. Normally, this is determined automatically during libselinux initialization, but this is not always possible, e.g. for /sbin/init which performs the initial mount of selinuxfs.
 
| Set the path to the selinuxfs mount point explicitly. Normally, this is determined automatically during libselinux initialization, but this is not always possible, e.g. for /sbin/init which performs the initial mount of selinuxfs.
Line 1,282: Line 908:
  
 
|-
 
|-
 
 
 
 
| setcon
 
| setcon
  
Line 1,294: Line 917:
  
 
|-
 
|-
 
 
 
 
| setexeccon
 
| setexeccon
  
Line 1,304: Line 924:
  
 
|-
 
|-
 
 
 
 
| setfilecon
 
| setfilecon
  
Line 1,314: Line 931:
  
 
|-
 
|-
 
 
 
 
| setfscreatecon
 
| setfscreatecon
  
Line 1,324: Line 938:
  
 
|-
 
|-
 
 
 
 
| setkeycreatecon
 
| setkeycreatecon
  
Line 1,334: Line 945:
  
 
|-
 
|-
 
 
 
 
| setsockcreatecon
 
| setsockcreatecon
  
Line 1,344: Line 952:
  
 
|-
 
|-
 
+
| sidget (depreciated)
 
+
| From 2.0.86 this is a no-op.
 
+
| sidget
+
| Increment SID reference counter.
+
 
+
Increment the reference counter for @sid, indicating that @sid is in use by an (additional) object. Return the new reference count, or zero if @sid is invalid (has zero reference count). Note that avc_context_to_sid() also increments reference counts.
+
 
| avc.h
 
| avc.h
  
 
|-
 
|-
 
+
| sidput (depreciated)
 
+
| From 2.0.86 this is a no-op.
 
+
| sidput
+
| Decrement SID reference counter.
+
 
+
Decrement the reference counter for @sid, indicating that a reference to @sid is no longer in use. Return the new reference count. When the reference count reaches zero, the SID is invalid, and avc_context_to_sid() must be called to obtain a new SID for the security context.
+
 
| avc.h
 
| avc.h
  
 
|-
 
|-
 
 
 
 
| string_to_av_perm
 
| string_to_av_perm
 
| Convert string names to access vector permissions.
 
| Convert string names to access vector permissions.
Line 1,372: Line 967:
  
 
|-
 
|-
 
 
 
 
| string_to_security_class
 
| string_to_security_class
 
| Convert string names to security class values.
 
| Convert string names to security class values.

Revision as of 13:48, 15 August 2010

API Summary for libselinux

The API summary has been taken from the libselinux 2.0.96 release and sorted in alphabetical order. There are 166 functions available in this release, although 4 are depreciated. The appropriate man (3) pages should consulted for detailed usage.

Function Name Description Header File
avc_add_callback Register a callback for security events.

Register a callback function for events in the set @events related to the SID pair (@ssid, @tsid) and and the permissions @perms, interpreting @perms based on @tclass. Returns %0 on success or -%1 if insufficient memory exists to add the callback.

avc.h
avc_audit Audit the granting or denial of permissions in accordance with the policy. This function is typically called by avc_has_perm() after a permission check, but can also be called directly by callers who use avc_has_perm_noaudit() in order to separate the permission check from the auditing. For example, this separation is useful when the permission check must be performed under a lock, to allow the lock to be released before calling the auditing code. avc.h
avc_av_stats Log AV table statistics.

Log a message with information about the size and distribution of the access vector table. The audit callback is used to print the message.

avc.h
avc_cache_stats Get cache access statistics.

Fill the supplied structure with information about AVC activity since the last call to avc_init() or avc_reset(). See the structure definition for details.

avc.h
avc_cleanup Remove unused SIDs and AVC entries.

Search the SID table for SID structures with zero reference counts, and remove them along with all AVC entries that reference them. This can be used to return memory to the system.

avc.h
avc_compute_create Compute SID for labeling a new object.

Call the security server to obtain a context for labeling a new object. Look up the context in the SID table, making a new entry if not found. Store a pointer to the SID structure into the memory referenced by @newsid, returning %0 on success or -%1 on error with @errno set.

avc.h
avc_compute_member Compute SID for polyinstantation.

Call the security server to obtain a context for labeling an object instance. Look up the context in the SID table, making a new entry if not found. Store a pointer to the SID structure into the memory referenced by @newsid, returning %0 on success or -%1 on error with @errno set.

avc.h
avc_context_to_sid

avc_context_to_sid_raw

Get SID for context. Look up security context @ctx in SID table, making a new entry if @ctx is not found. Store a pointer to the SID structure into the memory referenced by @sid,returning %0 on success or -%1 on error with @errno set. avc.h
avc_destroy Free all AVC structures.

Destroy all AVC structures and free all allocated memory. User-supplied locking, memory, and audit callbacks will be retained, but security-event callbacks will not. All SID's will be invalidated. User must call avc_init() if further use of AVC is desired.

avc.h
avc_entry_ref_init Initialize an AVC entry reference.

Use this macro to initialize an avc entry reference structure before first use. These structures are passed to avc_has_perm(), which stores cache entry references in them. They can increase performance on repeated queries.

avc.h
avc_get_initial_sid Get SID for an initial kernel security identifier.

Get the context for an initial kernel security identifier specified by @name using security_get_initial_context() and then call avc_context_to_sid() to get the corresponding SID.

avc.h
avc_has_perm Check permissions and perform any appropriate auditing.

Check the AVC to determine whether the @requested permissions are granted for the SID pair (@ssid, @tsid), interpreting the permissions based on @tclass, and call the security server on a cache miss to obtain a new decision and add it to the cache. Update @aeref to refer to an AVC entry with the resulting decisions. Audit the granting or denial of permissions in accordance with the policy. Return %0 if all @requested permissions are granted, -%1 with @errno set to %EACCES if any permissions are denied or to another value upon other errors.

avc.h
avc_has_perm_noaudit Check permissions but perform no auditing. Check the AVC to determine whether the @requested permissions are granted for the SID pair (@ssid, @tsid), interpreting the permissions based on @tclass, and call the security server on a cache miss to obtain a new decision and add it to the cache. Update @aeref to refer to an AVC entry with the resulting decisions, and return a copy of the decisions in @avd. Return %0 if all @requested permissions are granted, -%1 with @errno set to %EACCES if any permissions are denied, or to another value upon other errors. This function is typically called by avc_has_perm(), but may also be called directly to separate permission checking from auditing, e.g. in cases where a lock must be held for the check but should be released for the auditing. avc.h
avc_init (depreciated) Legacy userspace SELinux AVC setup - use avc_open.

Initialize the access vector cache. Return %0 on success or -%1 with @errno set on failure. If @msgprefix is NULL, uses "uavc". If any callback structure references are NULL, use default methods for those callbacks (see the definition of the callback structures).

avc.h
avc_netlink_acquire_fd Create a netlink socket and connect to the kernel. avc.h
avc_netlink_check_nb Wait for netlink messages from the kernel. avc.h
avc_netlink_close Close the netlink socket. avc.h
avc_netlink_loop Acquire netlink socket fd. Allows the application to manage messages from the netlink socket in its own main loop. avc.h
avc_netlink_open Release netlink socket fd. Returns ownership of the netlink socket to the library. avc.h
avc_netlink_release_fd Check netlink socket for new messages. Called by the application when using avc_netlink_acquire_fd() to process kernel netlink events. avc.h
avc_open Initialize the AVC. This function is identical to avc_init() except the message prefix is set to “avc” and any callbacks desired should be specified via selinux_set_callback(). It is possible to set enforcing mode using AVC_OPT_SETENFORCE, this will override the kernel setting. avc.h
avc_reset Flush the cache and reset statistics. Remove all entries from the cache and reset all access statistics (as returned by avc_cache_stats()) to zero. The SID mapping is not affected. Return %0 on success, -%1 with @errno set on error. avc.h
avc_sid_stats Log SID table statistics. Log a message with information about the size and distribution of the SID table. The audit callback is used to print the message. avc.h
avc_sid_to_context

avc_sid_to_context_raw

Get copy of context corresponding to SID. Return a copy of the security context corresponding to the input @sid in the memory referenced by @ctx. The caller is expected to free the context with freecon(). Return %0 on success, -%1 on failure, with @errno set to %ENOMEM if insufficient memory was available to make the copy, or %EINVAL if the input SID is invalid. avc.h
checkPasswdAccess (depreciated) Check a permission in the passwd class. Return 0 if granted or -1 otherwise. selinux.h
context_free Free the storage used by a context. context.h
context_new Return a new context initialized to a context string. context.h
context_range_get Get a pointer to the range. context.h
context_range_set Set the range component. Returns nonzero if unsuccessful. context.h
context_role_get Get a pointer to the role. context.h
context_role_set Set the role component. Returns nonzero if unsuccessful. context.h
context_str Return a pointer to the string value of context_t. Valid until the next call to context_str or context_free for the same context_t*. context.h
context_type_get Get a pointer to the type. context.h
context_type_set Set the type component. Returns nonzero if unsuccessful. context.h
context_user_get Get a pointer to the user. context.h
context_user_set Set the user component. Returns nonzero if unsuccessful. context.h
fgetfilecon

fgetfilecon_raw

Wrapper for the xattr API - Get file context, and set *con to refer to it. Caller must free via freecon. selinux.h
fini_selinuxmnt Deinitialises the global variable selinux_mnt to the selinuxfs mountpoint.
freecon Free the memory allocated for a context by any of the get* calls. selinux.h
freeconary Free the memory allocated for a context array by security_compute_user. selinux.h
fsetfilecon

fsetfilecon_raw

Wrapper for the xattr API- Set file context. selinux.h
get_default_context Get the default security context for a user session for 'user' spawned by 'fromcon' and set *newcon to refer to it. The context will be one of those authorized by the policy, but the selection of a default is subject to user customizable preferences. If 'fromcon' is NULL, defaults to current context. Returns 0 on success or -1 otherwise. Caller must free via freecon. get_context_list.h
get_default_context_with_level Same as get_default_context, but use the provided MLS level rather than the default level for the user. get_context_list.h
get_default_context_with_role Same as get_default_context, but only return a context that has the specified role. get_context_list.h
get_default_context_with_rolelevel Same as get_default_context, but only return a context that has the specified role and level. get_context_list.h
get_default_type Get the default type (domain) for 'role' and set 'type' to refer to it. Caller must free via free(). Return 0 on success or -1 otherwise. get_default_type.h
get_ordered_context_list Get an ordered list of authorized security contexts for a user session for 'user' spawned by 'fromcon' and set *conary to refer to the NULL-terminated array of contexts. Every entry in the list will be authorized by the policy, but the ordering is subject to user customizable preferences. Returns number of entries in *conary. If 'fromcon' is NULL, defaults to current context. Caller must free via freeconary. get_context_list.h
get_ordered_context_list_with_level Same as get_ordered_context_list, but use the provided MLS level rather than the default level for the user. get_context_list.h
getcon

getcon_raw

Get current context, and set *con to refer to it. Caller must free via freecon. selinux.h
getexeccon

getexeccon_raw

Get exec context, and set *con to refer to it. Sets *con to NULL if no exec context has been set, i.e. using default. If non-NULL, caller must free via freecon. selinux.h
getfilecon

getfilecon_raw

Wrapper for the xattr API - Get file context, and set *con to refer to it. Caller must free via freecon. selinux.h
getfscreatecon

getfscreatecon_raw

Get fscreate context, and set *con to refer to it. Sets *con to NULL if no fs create context has been set, i.e. using default.If non-NULL, caller must free via freecon. selinux.h
getkeycreatecon

getkeycreatecon_raw

Get keycreate context, and set *con to refer to it. Sets *con to NULL if no key create context has been set, i.e. using default. If non-NULL, caller must free via freecon. selinux.h
getpeercon

getpeercon_raw

Wrapper for the socket API - Get context of peer socket, and set *con to refer to it. Caller must free via freecon. selinux.h
getpidcon

getpidcon_raw

Get context of process identified by pid, and set *con to refer to it. Caller must free via freecon. selinux.h
getprevcon

getprevcon_raw

Get previous context (prior to last exec), and set *con to refer to it. Caller must free via freecon. selinux.h
getseuser Get the SELinux username and level to use for a given Linux username and service. These values may then be passed into the get_ordered_context_list* and get_default_context* functions to obtain a context for the user. Returns 0 on success or -1 otherwise. Caller must free the returned strings via free(). selinux.h
getseuserbyname Get the SELinux username and level to use for a given Linux username. These values may then be passed into the get_ordered_context_list* and get_default_context* functions to obtain a context for the user. Returns 0 on success or -1 otherwise. Caller must free the returned strings via free(). selinux.h
getsockcreatecon

getsockcreatecon_raw

Get sockcreate context, and set *con to refer to it. Sets *con to NULL if no socket create context has been set, i.e. using default. If non-NULL, caller must free via freecon. selinux.h
init_selinuxmnt Initialises the global variable selinux_mnt to the selinuxfs mountpoint.
is_context_customizable Returns whether a file context is customizable, and should not be relabeled. selinux.h
is_selinux_enabled Return 1 if running on a SELinux kernel, or 0 if not or -1 for error. selinux.h
is_selinux_mls_enabled Return 1 if we are running on a SELinux MLS kernel, or 0 otherwise. selinux.h
lgetfilecon

lgetfilecon_raw

Wrapper for the xattr API - Get file context, and set *con to refer to it. Caller must free via freecon. selinux.h
lsetfilecon

lsetfilecon_raw

Wrapper for the xattr API- Set file context for symbolic link. selinux.h
manual_user_enter_context Allow the user to manually enter a context as a fallback if a list of authorized contexts could not be obtained. Caller must free via freecon. Returns 0 on success or -1 otherwise. get_context_list.h
matchmediacon Match the specified media and against the media contexts configuration and set *con to refer to the resulting context. Caller must free con via freecon. selinux.h
matchpathcon Match the specified pathname and mode against the file context sconfiguration and set *con to refer to the resulting context.'mode' can be 0 to disable mode matching. Caller must free via freecon. If matchpathcon_init has not already been called, then this function will call it upon its first invocation with a NULL path. selinux.h
matchpathcon_checkmatches Check to see whether any specifications had no matches and report them. The 'str' is used as a prefix for any warning messages. selinux.h
matchpathcon_filespec_add Maintain an association between an inode and a specification index, and check whether a conflicting specification is already associated with the same inode (e.g. due to multiple hard links). If so, then use the latter of the two specifications based on their order in the file contexts configuration. Return the used specification index. selinux.h
matchpathcon_filespec_destroy Destroy any inode associations that have been added, e.g. to restart for a new filesystem. selinux.h
matchpathcon_filespec_eval Display statistics on the hash table usage for the associations. selinux.h
matchpathcon_fini Free the memory allocated by matchpathcon_init. selinux.h
matchpathcon_index Same as matchpathcon, but return a specification index for later use in a matchpathcon_filespec_add() call. selinux.h
matchpathcon_init Load the file contexts configuration specified by 'path' into memory for use by subsequent matchpathcon calls. If 'path' is NULL, then load the active file contexts configuration, i.e. the path returned by selinux_file_context_path(). Unless the MATCHPATHCON_BASEONLY flag has been set, this function also checks for a 'path'.homedirs file and a 'path'.local file and loads additional specifications from them if present. selinux.h
matchpathcon_init_prefix Same as matchpathcon_init, but only load entries with regexes that have stems that are prefixes of 'prefix'. selinux.h
print_access_vector Display an access vector in a string representation. selinux.h
query_user_context Given a list of authorized security contexts for the user, query the user to select one and set *newcon to refer to it. Caller must free via freecon. Returns 0 on sucess or -1 otherwise. get_context_list.h
rpm_execcon Execute a helper for rpm in an appropriate security context. selinux.h
security_av_perm_to_string Convert access vector permissions to string names. selinux.h
security_av_string Returns an access vector in a string representation. User must free the returned string via free(). selinux.h
security_canonicalize_context

security_canonicalize_context_raw

Canonicalize a security context. selinux.h
security_check_context

security_check_context_raw

Check the validity of a security context. selinux.h
security_class_to_string Convert security class values to string names. selinux.h
security_commit_booleans Commit the pending values for the booleans. selinux.h
security_compute_av

security_compute_av_raw

Compute an access decision. selinux.h
security_compute_av_flags

security_compute_av_flags_raw

selinux.h
security_compute_create

security_compute_create_raw

Compute a labeling decision and set *newcon to refer to it. Caller must free via freecon. selinux.h
security_compute_member

security_compute_member_raw

Compute a polyinstantiation member decision and set *newcon to refer to it. Caller must free via freecon. selinux.h
security_compute_relabel

security_compute_relabel_raw

Compute a relabeling decision and set *newcon to refer to it. Caller must free via freecon. selinux.h
security_compute_user

security_compute_user_raw

Compute the set of reachable user contexts and set *con to refer to the NULL-terminated array of contexts. Caller must free via freeconary. selinux.h
security_deny_unknown Get the behavior for undefined classes / permissions. selinux.h
security_disable Disable SELinux at runtime (must be done prior to initial policy load). selinux.h
security_get_boolean_active Get the active value for the boolean. selinux.h
security_get_boolean_names Get the boolean names selinux.h
security_get_boolean_pending Get the pending value for the boolean. selinux.h
security_get_initial_context

security_get_initial_context_raw

Get the context of an initial kernel security identifier by name. Caller must free via freecon. selinux.h
security_getenforce Get the enforce flag value. selinux.h
security_load_booleans Load policy boolean settings. Path may be NULL, in which case the booleans are loaded from the active policy boolean configuration file. selinux.h
security_load_policy Load a policy configuration. selinux.h
selinux_mkload_policy Make a policy image and load it. This is a higher level interface for loading policy than security_load_policy. selinux.h
security_policyvers Get the policy version number. selinux.h
security_set_boolean Set the pending value for the boolean. selinux.h
security_set_boolean_list Save a list of booleans in a single transaction. selinux.h
security_setenforce Set the enforce flag value. selinux.h
selabel_close Destroy the specified handle, closing files, freeing allocated memory, etc. The handle may not be further used after it has been closed. label.h
selabel_lookup

selabel_lookup_raw

Perform a labeling lookup operation. Return %0 on success, -%1 with @errno set on failure. The key and type arguments are the inputs to the lookup operation; appropriate values are dictated by the backend in use. The result is returned in the memory pointed to by @con and must be freed by the user with freecon(). label.h
selabel_open Create a labeling handle.

Open a labeling backend for use. The available backend identifiers are:

SELABEL_CTX_FILE - file_contexts.

SELABEL_CTX_MEDIA - media contexts.

SELABEL_CTX_X - x_contexts.

SELABEL_CTX_DB - pgsql_contexts.

Options may be provided via the opts parameter; available options are:

SELABEL_OPT_UNUSED - no-op option, useful for unused slots in an array of options.

SELABEL_OPT_VALIDATE - validate contexts before returning them (boolean value).

SELABEL_OPT_BASEONLY - don't use local customizations to backend data (boolean value).

SELABEL_OPT_PATH - specify an alternate path to use when loading backend data.

SELABEL_OPT_SUBSET - select a subset of the search space as an optimization (file backend).

Not all options may be supported by every backend. Return value is the created handle on success or NULL with @errno set on failure.

label.h
selabel_stats Log a message with information about the number of queries performed, number of unused matching entries, or other operational statistics. Message is backend-specific, some backends may not output a message. label.h
selinux_binary_policy_path Return path to the binary policy file under the policy root directory. selinux.h
selinux_booleans_path Return path to the booleans file under the policy root directory. selinux.h
selinux_check_passwd_access Check a permission in the passwd class. Return 0 if granted or -1 otherwise. selinux.h
selinux_check_securetty_context Check if the tty_context is defined as a securetty. Return 0 if secure, < 0 otherwise. selinux.h
selinux_colors_path Return path to file under the policy root directory. selinux.h
selinux_contexts_path Return path to contexts directory under the policy root directory. selinux.h
selinux_customizable_types_path Return path to customizable_types file under the policy root directory. selinux.h
selinux_default_context_path Return path to default_context file under the policy root directory. selinux.h
selinux_default_type_path Return path to default type file. get_default_type.h
selinux_failsafe_context_path Return path to failsafe_context file under the policy root directory. selinux.h
selinux_file_context_cmp Compare two file contexts, return 0 if equivalent. selinux.h
selinux_file_context_homedir_path Return path to file under the policy root directory. selinux.h
selinux_file_context_local_path Return path to file under the policy root directory. selinux.h
selinux_file_context_path Return path to file under the policy root directory. selinux.h
selinux_file_context_subs_path Return path to file under the policy root directory. selinux.h
selinux_file_context_verify Verify the context of the file 'path' against policy. Return 0 if correct. selinux.h
selinux_getenforcemode Reads the /etc/selinux/config file and determines whether the machine should be started in enforcing (1), permissive (0) or disabled (-1) mode. selinux.h
selinux_getpolicytype Reads the /etc/selinux/config file and determines what the default policy for the machine is. Calling application must free policytype. selinux.h
selinux_homedir_context_path Return path to file under the policy root directory. selinux.h
selinux_init_load_policy Perform the initial policy load.

This function determines the desired enforcing mode, sets the the *enforce argument accordingly for the caller to use, sets the SELinux kernel enforcing status to match it, and loads the policy. It also internally handles the initial selinuxfs mount required to perform these actions.

The function returns 0 if everything including the policy load succeeds. In this case, init is expected to re-exec itself in order to transition to the proper security context. Otherwise, the function returns -1, and init must check *enforce to determine how to proceed. If enforcing (*enforce > 0), then init should halt the system. Otherwise, init may proceed normally without a re-exec.

selinux.h
selinux_lsetfilecon_default This function sets the file context on to the system defaults returns 0 on success. selinux.h
selinux_media_context_path Return path to file under the policy root directory. selinux.h
selinux_mkload_policy Make a policy image and load it.

This function provides a higher level interface for loading policy than security_load_policy, internally determining the right policy version, locating and opening the policy file, mapping it into memory, manipulating it as needed for current boolean settings and/or local definitions, and then calling security_load_policy to load it.

'preservebools' is a boolean flag indicating whether current policy boolean values should be preserved into the new policy (if 1) or reset to the saved policy settings (if 0). The former case is the default for policy reloads, while the latter case is an option for policy reloads but is primarily for the initial policy load.

selinux.h
selinux_netfilter_context_path Returns path to the netfilter_context file under the policy root directory. selinux.h
selinux_path Returns path to the policy root directory. selinux.h
selinux_policy_root Reads the /etc/selinux/config file and returns the top level directory. selinux.h
selinux_raw_context_to_color Perform context translation between security contexts and display colors. Returns a space-separated list of ten ten hex RGB triples prefixed by hash marks, e.g. "#ff0000". Caller must free the resulting string via free(). Returns -1 upon an error or 0 otherwise. selinux.h
selinux_raw_to_trans_context Perform context translation between the human-readable format ("translated") and the internal system format ("raw"). Caller must free the resulting context via freecon. Returns -1 upon an error or 0 otherwise. If passed NULL, sets the returned context to NULL and returns 0. selinux.h
selinux_removable_context_path Return path to file under the policy root directory. selinux.h
selinux_reset_config Force a reset of the loaded configuration. Not thread-safe. selinux.h
selinux_securetty_types_path Return path to the securetty_types file under the policy root directory. selinux.h
selinux_sepgsql_context_path Return path to the sepgsql_context file under the policy root directory. selinux.h
selinux_set_callback Sets up a call back for the following events:

SELINUX_CB_LOG - to add additional info to audit log.

SELINUX_CB_AUDIT - to add additional audit info when using calls like avc_has_perm that can cause an audit evet to be generated.

SELINUX_CB_VALIDATE - to validate a context (used by setfiles for setting contexts on policies that are not active - see setfiles.c).

SELINUX_CB_SETENFORCE - to run user defined functions whenever the state changes.

SELINUX_CB_POLICYLOAD - to run user defined functions whenever the policy is reloaded.

selinux.h
selinux_set_mapping Userspace class mapping support. selinux.h
selinux_trans_to_raw_context Perform context translation between the human-readable format ("translated") and the internal system format ("raw"). Caller must free the resulting context via freecon. Returns -1 upon an error or 0 otherwise. If passed NULL, sets the returned context to NULL and returns 0. selinux.h
selinux_translations_path Return path to setrans.conf file under the policy root directory. selinux.h
selinux_user_contexts_path Return path to file under the policy root directory. selinux.h
selinux_users_path Return path to file under the policy root directory. selinux.h
selinux_usersconf_path Return path to file under the policy root directory. selinux.h
selinux_virtual_domain_context_path Return path to file under the policy root directory. selinux.h
selinux_virtual_image_context_path Return path to file under the policy root directory. selinux.h
selinux_x_context_path Return path to x_context file under the policy root directory. selinux.h
set_matchpathcon_canoncon Same as set_matchpathcon_invalidcon but also allows canonicalization of the context, by changing *context to refer to the canonical form. If not set, and invalidcon is also not set, then this defaults to calling security_canonicalize_context(). selinux.h
set_matchpathcon_flags Set flags controlling operation of matchpathcon_init or matchpathcon:

MATCHPATHCON_BASEONLY - Only process the base file_contexts file.

MATCHPATHCON_NOTRANS - Do not perform any context translation.

MATCHPATHCON_VALIDATE - Validate/canonicalize contexts at init time.

selinux.h
set_matchpathcon_invalidcon Set the function used by matchpathcon_init when checking the validity of a context in the file_contexts configuration. If not set, then this defaults to a test based on security_check_context(). The function is also responsible for reporting any such error, and may include the 'path' and 'lineno' in such error messages. selinux.h
set_matchpathcon_printf Set the function used by matchpathcon_init when displaying errors about the file_contexts configuration. If not set, then this defaults to fprintf(stderr, fmt, ...). selinux.h
set_selinuxmnt Set the path to the selinuxfs mount point explicitly. Normally, this is determined automatically during libselinux initialization, but this is not always possible, e.g. for /sbin/init which performs the initial mount of selinuxfs. selinux.h
setcon

setcon_raw

Set the current security context to con.

Note that use of this function requires that the entire application be trusted to maintain any desired separation between the old and new security contexts, unlike exec-based transitions performed via setexeccon. When possible, decompose your application and use setexeccon()+execve() instead. Note that the application may lose access to its open descriptors as a result of a setcon() unless policy allows it to use descriptors opened by the old context.

selinux.h
setexeccon

setexeccon_raw

Set exec security context for the next execve. Call with NULL if you want to reset to the default. selinux.h
setfilecon

setfilecon_raw

Wrapper for the xattr API - Set file context. selinux.h
setfscreatecon

setfscreatecon_raw

Set the fscreate security context for subsequent file creations. Call with NULL if you want to reset to the default. selinux.h
setkeycreatecon

setkeycreatecon_raw

Set the keycreate security context for subsequent key creations. Call with NULL if you want to reset to the default. selinux.h
setsockcreatecon

setsockcreatecon_raw

Set the sockcreate security context for subsequent socket creations. Call with NULL if you want to reset to the default. selinux.h
sidget (depreciated) From 2.0.86 this is a no-op. avc.h
sidput (depreciated) From 2.0.86 this is a no-op. avc.h
string_to_av_perm Convert string names to access vector permissions. selinux.h
string_to_security_class Convert string names to security class values. selinux.h