LibselinuxAPISummary
API Summary for libselinux
The API summary has been taken from the libselinux 2.0.96 release and sorted in alphabetical order. There are 166 functions available in this release, although 4 are deprecated. The appropriate man (3) pages should consulted for detailed usage.
Function Name | Description | Header File |
---|---|---|
avc_add_callback | Register a callback for security events.
Register a callback function for events in the set @events related to the SID pair (@ssid, @tsid) and and the permissions @perms, interpreting @perms based on @tclass. Returns %0 on success or -%1 if insufficient memory exists to add the callback. |
avc.h |
avc_audit | Audit the granting or denial of permissions in accordance with the policy. This function is typically called by avc_has_perm() after a permission check, but can also be called directly by callers who use avc_has_perm_noaudit() in order to separate the permission check from the auditing. For example, this separation is useful when the permission check must be performed under a lock, to allow the lock to be released before calling the auditing code. | avc.h |
avc_av_stats | Log AV table statistics.
Log a message with information about the size and distribution of the access vector table. The audit callback is used to print the message. |
avc.h |
avc_cache_stats | Get cache access statistics.
Fill the supplied structure with information about AVC activity since the last call to avc_init() or avc_reset(). See the structure definition for details. |
avc.h |
avc_cleanup | Remove unused SIDs and AVC entries.
Search the SID table for SID structures with zero reference counts, and remove them along with all AVC entries that reference them. This can be used to return memory to the system. |
avc.h |
avc_compute_create | Compute SID for labeling a new object.
Call the security server to obtain a context for labeling a new object. Look up the context in the SID table, making a new entry if not found. Store a pointer to the SID structure into the memory referenced by @newsid, returning %0 on success or -%1 on error with @errno set. |
avc.h |
avc_compute_member | Compute SID for polyinstantation.
Call the security server to obtain a context for labeling an object instance. Look up the context in the SID table, making a new entry if not found. Store a pointer to the SID structure into the memory referenced by @newsid, returning %0 on success or -%1 on error with @errno set. |
avc.h |
avc_context_to_sid
avc_context_to_sid_raw |
Get SID for context. Look up security context @ctx in SID table, making a new entry if @ctx is not found. Store a pointer to the SID structure into the memory referenced by @sid,returning %0 on success or -%1 on error with @errno set. | avc.h |
avc_destroy | Free all AVC structures.
Destroy all AVC structures and free all allocated memory. User-supplied locking, memory, and audit callbacks will be retained, but security-event callbacks will not. All SID's will be invalidated. User must call avc_init() if further use of AVC is desired. |
avc.h |
avc_entry_ref_init | Initialize an AVC entry reference.
Use this macro to initialize an avc entry reference structure before first use. These structures are passed to avc_has_perm(), which stores cache entry references in them. They can increase performance on repeated queries. |
avc.h |
avc_get_initial_sid | Get SID for an initial kernel security identifier.
Get the context for an initial kernel security identifier specified by @name using security_get_initial_context() and then call avc_context_to_sid() to get the corresponding SID. |
avc.h |
avc_has_perm | Check permissions and perform any appropriate auditing.
Check the AVC to determine whether the @requested permissions are granted for the SID pair (@ssid, @tsid), interpreting the permissions based on @tclass, and call the security server on a cache miss to obtain a new decision and add it to the cache. Update @aeref to refer to an AVC entry with the resulting decisions. Audit the granting or denial of permissions in accordance with the policy. Return %0 if all @requested permissions are granted, -%1 with @errno set to %EACCES if any permissions are denied or to another value upon other errors. |
avc.h |
avc_has_perm_noaudit | Check permissions but perform no auditing. Check the AVC to determine whether the @requested permissions are granted for the SID pair (@ssid, @tsid), interpreting the permissions based on @tclass, and call the security server on a cache miss to obtain a new decision and add it to the cache. Update @aeref to refer to an AVC entry with the resulting decisions, and return a copy of the decisions in @avd. Return %0 if all @requested permissions are granted, -%1 with @errno set to %EACCES if any permissions are denied, or to another value upon other errors. This function is typically called by avc_has_perm(), but may also be called directly to separate permission checking from auditing, e.g. in cases where a lock must be held for the check but should be released for the auditing. | avc.h |
avc_init (deprecated) | Legacy userspace SELinux AVC setup - use avc_open.
Initialize the access vector cache. Return %0 on success or -%1 with @errno set on failure. If @msgprefix is NULL, uses "uavc". If any callback structure references are NULL, use default methods for those callbacks (see the definition of the callback structures). |
avc.h |
avc_netlink_acquire_fd | Create a netlink socket and connect to the kernel. | avc.h |
avc_netlink_check_nb | Wait for netlink messages from the kernel. | avc.h |
avc_netlink_close | Close the netlink socket. | avc.h |
avc_netlink_loop | Acquire netlink socket fd. Allows the application to manage messages from the netlink socket in its own main loop. | avc.h |
avc_netlink_open | Release netlink socket fd. Returns ownership of the netlink socket to the library. | avc.h |
avc_netlink_release_fd | Check netlink socket for new messages. Called by the application when using avc_netlink_acquire_fd() to process kernel netlink events. | avc.h |
avc_open | Initialize the AVC. This function is identical to avc_init() except the message prefix is set to “avc” and any callbacks desired should be specified via selinux_set_callback(). It is possible to set enforcing mode using AVC_OPT_SETENFORCE, this will override the kernel setting. | avc.h |
avc_reset | Flush the cache and reset statistics. Remove all entries from the cache and reset all access statistics (as returned by avc_cache_stats()) to zero. The SID mapping is not affected. Return %0 on success, -%1 with @errno set on error. | avc.h |
avc_sid_stats | Log SID table statistics. Log a message with information about the size and distribution of the SID table. The audit callback is used to print the message. | avc.h |
avc_sid_to_context
avc_sid_to_context_raw |
Get copy of context corresponding to SID. Return a copy of the security context corresponding to the input @sid in the memory referenced by @ctx. The caller is expected to free the context with freecon(). Return %0 on success, -%1 on failure, with @errno set to %ENOMEM if insufficient memory was available to make the copy, or %EINVAL if the input SID is invalid. | avc.h |
checkPasswdAccess (deprecated) | Check a permission in the passwd class. Return 0 if granted or -1 otherwise. | selinux.h |
context_free | Free the storage used by a context. | context.h |
context_new | Return a new context initialized to a context string. | context.h |
context_range_get | Get a pointer to the range. | context.h |
context_range_set | Set the range component. Returns nonzero if unsuccessful. | context.h |
context_role_get | Get a pointer to the role. | context.h |
context_role_set | Set the role component. Returns nonzero if unsuccessful. | context.h |
context_str | Return a pointer to the string value of context_t. Valid until the next call to context_str or context_free for the same context_t*. | context.h |
context_type_get | Get a pointer to the type. | context.h |
context_type_set | Set the type component. Returns nonzero if unsuccessful. | context.h |
context_user_get | Get a pointer to the user. | context.h |
context_user_set | Set the user component. Returns nonzero if unsuccessful. | context.h |
fgetfilecon
fgetfilecon_raw |
Wrapper for the xattr API - Get file context, and set *con to refer to it. Caller must free via freecon. | selinux.h |
fini_selinuxmnt | Deinitialises the global variable selinux_mnt to the selinuxfs mountpoint. | |
freecon | Free the memory allocated for a context by any of the get* calls. | selinux.h |
freeconary | Free the memory allocated for a context array by security_compute_user. | selinux.h |
fsetfilecon
fsetfilecon_raw |
Wrapper for the xattr API- Set file context. | selinux.h |
get_default_context | Get the default security context for a user session for 'user' spawned by 'fromcon' and set *newcon to refer to it. The context will be one of those authorized by the policy, but the selection of a default is subject to user customizable preferences. If 'fromcon' is NULL, defaults to current context. Returns 0 on success or -1 otherwise. Caller must free via freecon. | get_context_list.h |
get_default_context_with_level | Same as get_default_context, but use the provided MLS level rather than the default level for the user. | get_context_list.h |
get_default_context_with_role | Same as get_default_context, but only return a context that has the specified role. | get_context_list.h |
get_default_context_with_rolelevel | Same as get_default_context, but only return a context that has the specified role and level. | get_context_list.h |
get_default_type | Get the default type (domain) for 'role' and set 'type' to refer to it. Caller must free via free(). Return 0 on success or -1 otherwise. | get_default_type.h |
get_ordered_context_list | Get an ordered list of authorized security contexts for a user session for 'user' spawned by 'fromcon' and set *conary to refer to the NULL-terminated array of contexts. Every entry in the list will be authorized by the policy, but the ordering is subject to user customizable preferences. Returns number of entries in *conary. If 'fromcon' is NULL, defaults to current context. Caller must free via freeconary. | get_context_list.h |
get_ordered_context_list_with_level | Same as get_ordered_context_list, but use the provided MLS level rather than the default level for the user. | get_context_list.h |
getcon
getcon_raw |
Get current context, and set *con to refer to it. Caller must free via freecon. | selinux.h |
getexeccon
getexeccon_raw |
Get exec context, and set *con to refer to it. Sets *con to NULL if no exec context has been set, i.e. using default. If non-NULL, caller must free via freecon. | selinux.h |
getfilecon
getfilecon_raw |
Wrapper for the xattr API - Get file context, and set *con to refer to it. Caller must free via freecon. | selinux.h |
getfscreatecon
getfscreatecon_raw |
Get fscreate context, and set *con to refer to it. Sets *con to NULL if no fs create context has been set, i.e. using default.If non-NULL, caller must free via freecon. | selinux.h |
getkeycreatecon
getkeycreatecon_raw |
Get keycreate context, and set *con to refer to it. Sets *con to NULL if no key create context has been set, i.e. using default. If non-NULL, caller must free via freecon. | selinux.h |
getpeercon
getpeercon_raw |
Wrapper for the socket API - Get context of peer socket, and set *con to refer to it. Caller must free via freecon. | selinux.h |
getpidcon
getpidcon_raw |
Get context of process identified by pid, and set *con to refer to it. Caller must free via freecon. | selinux.h |
getprevcon
getprevcon_raw |
Get previous context (prior to last exec), and set *con to refer to it. Caller must free via freecon. | selinux.h |
getseuser | Get the SELinux username and level to use for a given Linux username and service. These values may then be passed into the get_ordered_context_list* and get_default_context* functions to obtain a context for the user. Returns 0 on success or -1 otherwise. Caller must free the returned strings via free(). | selinux.h |
getseuserbyname | Get the SELinux username and level to use for a given Linux username. These values may then be passed into the get_ordered_context_list* and get_default_context* functions to obtain a context for the user. Returns 0 on success or -1 otherwise. Caller must free the returned strings via free(). | selinux.h |
getsockcreatecon
getsockcreatecon_raw |
Get sockcreate context, and set *con to refer to it. Sets *con to NULL if no socket create context has been set, i.e. using default. If non-NULL, caller must free via freecon. | selinux.h |
init_selinuxmnt | Initialises the global variable selinux_mnt to the selinuxfs mountpoint. | |
is_context_customizable | Returns whether a file context is customizable, and should not be relabeled. | selinux.h |
is_selinux_enabled | Return 1 if running on a SELinux kernel, or 0 if not or -1 for error. | selinux.h |
is_selinux_mls_enabled | Return 1 if we are running on a SELinux MLS kernel, or 0 otherwise. | selinux.h |
lgetfilecon
lgetfilecon_raw |
Wrapper for the xattr API - Get file context, and set *con to refer to it. Caller must free via freecon. | selinux.h |
lsetfilecon
lsetfilecon_raw |
Wrapper for the xattr API- Set file context for symbolic link. | selinux.h |
manual_user_enter_context | Allow the user to manually enter a context as a fallback if a list of authorized contexts could not be obtained. Caller must free via freecon. Returns 0 on success or -1 otherwise. | get_context_list.h |
matchmediacon | Match the specified media and against the media contexts configuration and set *con to refer to the resulting context. Caller must free con via freecon. | selinux.h |
matchpathcon | Match the specified pathname and mode against the file context sconfiguration and set *con to refer to the resulting context.'mode' can be 0 to disable mode matching. Caller must free via freecon. If matchpathcon_init has not already been called, then this function will call it upon its first invocation with a NULL path. | selinux.h |
matchpathcon_checkmatches | Check to see whether any specifications had no matches and report them. The 'str' is used as a prefix for any warning messages. | selinux.h |
matchpathcon_filespec_add | Maintain an association between an inode and a specification index, and check whether a conflicting specification is already associated with the same inode (e.g. due to multiple hard links). If so, then use the latter of the two specifications based on their order in the file contexts configuration. Return the used specification index. | selinux.h |
matchpathcon_filespec_destroy | Destroy any inode associations that have been added, e.g. to restart for a new filesystem. | selinux.h |
matchpathcon_filespec_eval | Display statistics on the hash table usage for the associations. | selinux.h |
matchpathcon_fini | Free the memory allocated by matchpathcon_init. | selinux.h |
matchpathcon_index | Same as matchpathcon, but return a specification index for later use in a matchpathcon_filespec_add() call. | selinux.h |
matchpathcon_init | Load the file contexts configuration specified by 'path' into memory for use by subsequent matchpathcon calls. If 'path' is NULL, then load the active file contexts configuration, i.e. the path returned by selinux_file_context_path(). Unless the MATCHPATHCON_BASEONLY flag has been set, this function also checks for a 'path'.homedirs file and a 'path'.local file and loads additional specifications from them if present. | selinux.h |
matchpathcon_init_prefix | Same as matchpathcon_init, but only load entries with regexes that have stems that are prefixes of 'prefix'. | selinux.h |
print_access_vector | Display an access vector in a string representation. | selinux.h |
query_user_context | Given a list of authorized security contexts for the user, query the user to select one and set *newcon to refer to it. Caller must free via freecon. Returns 0 on sucess or -1 otherwise. | get_context_list.h |
rpm_execcon | Execute a helper for rpm in an appropriate security context. | selinux.h |
security_av_perm_to_string | Convert access vector permissions to string names. | selinux.h |
security_av_string | Returns an access vector in a string representation. User must free the returned string via free(). | selinux.h |
security_canonicalize_context
security_canonicalize_context_raw |
Canonicalize a security context. | selinux.h |
security_check_context
security_check_context_raw |
Check the validity of a security context. | selinux.h |
security_class_to_string | Convert security class values to string names. | selinux.h |
security_commit_booleans | Commit the pending values for the booleans. | selinux.h |
security_compute_av
security_compute_av_raw |
Compute an access decision. | selinux.h |
security_compute_av_flags
security_compute_av_flags_raw |
selinux.h | |
security_compute_create
security_compute_create_raw |
Compute a labeling decision and set *newcon to refer to it. Caller must free via freecon. | selinux.h |
security_compute_member
security_compute_member_raw |
Compute a polyinstantiation member decision and set *newcon to refer to it. Caller must free via freecon. | selinux.h |
security_compute_relabel
security_compute_relabel_raw |
Compute a relabeling decision and set *newcon to refer to it. Caller must free via freecon. | selinux.h |
security_compute_user
security_compute_user_raw |
Compute the set of reachable user contexts and set *con to refer to the NULL-terminated array of contexts. Caller must free via freeconary. | selinux.h |
security_deny_unknown | Get the behavior for undefined classes / permissions. | selinux.h |
security_disable | Disable SELinux at runtime (must be done prior to initial policy load). | selinux.h |
security_get_boolean_active | Get the active value for the boolean. | selinux.h |
security_get_boolean_names | Get the boolean names | selinux.h |
security_get_boolean_pending | Get the pending value for the boolean. | selinux.h |
security_get_initial_context
security_get_initial_context_raw |
Get the context of an initial kernel security identifier by name. Caller must free via freecon. | selinux.h |
security_getenforce | Get the enforce flag value. | selinux.h |
security_load_booleans | Load policy boolean settings. Path may be NULL, in which case the booleans are loaded from the active policy boolean configuration file. | selinux.h |
security_load_policy | Load a policy configuration. | selinux.h |
selinux_mkload_policy | Make a policy image and load it. This is a higher level interface for loading policy than security_load_policy. | selinux.h |
security_policyvers | Get the policy version number. | selinux.h |
security_set_boolean | Set the pending value for the boolean. | selinux.h |
security_set_boolean_list | Save a list of booleans in a single transaction. | selinux.h |
security_setenforce | Set the enforce flag value. | selinux.h |
selabel_close | Destroy the specified handle, closing files, freeing allocated memory, etc. The handle may not be further used after it has been closed. | label.h |
selabel_lookup
selabel_lookup_raw |
Perform a labeling lookup operation. Return %0 on success, -%1 with @errno set on failure. The key and type arguments are the inputs to the lookup operation; appropriate values are dictated by the backend in use. The result is returned in the memory pointed to by @con and must be freed by the user with freecon(). | label.h |
selabel_open | Create a labeling handle.
Open a labeling backend for use. The available backend identifiers are: SELABEL_CTX_FILE - file_contexts. SELABEL_CTX_MEDIA - media contexts. SELABEL_CTX_X - x_contexts. SELABEL_CTX_DB - pgsql_contexts. Options may be provided via the opts parameter; available options are: SELABEL_OPT_UNUSED - no-op option, useful for unused slots in an array of options. SELABEL_OPT_VALIDATE - validate contexts before returning them (boolean value). SELABEL_OPT_BASEONLY - don't use local customizations to backend data (boolean value). SELABEL_OPT_PATH - specify an alternate path to use when loading backend data. SELABEL_OPT_SUBSET - select a subset of the search space as an optimization (file backend). Not all options may be supported by every backend. Return value is the created handle on success or NULL with @errno set on failure. |
label.h |
selabel_stats | Log a message with information about the number of queries performed, number of unused matching entries, or other operational statistics. Message is backend-specific, some backends may not output a message. | label.h |
selinux_binary_policy_path | Return path to the binary policy file under the policy root directory. | selinux.h |
selinux_booleans_path | Return path to the booleans file under the policy root directory. | selinux.h |
selinux_check_passwd_access | Check a permission in the passwd class. Return 0 if granted or -1 otherwise. | selinux.h |
selinux_check_securetty_context | Check if the tty_context is defined as a securetty. Return 0 if secure, < 0 otherwise. | selinux.h |
selinux_colors_path | Return path to file under the policy root directory. | selinux.h |
selinux_contexts_path | Return path to contexts directory under the policy root directory. | selinux.h |
selinux_customizable_types_path | Return path to customizable_types file under the policy root directory. | selinux.h |
selinux_default_context_path | Return path to default_context file under the policy root directory. | selinux.h |
selinux_default_type_path | Return path to default type file. | get_default_type.h |
selinux_failsafe_context_path | Return path to failsafe_context file under the policy root directory. | selinux.h |
selinux_file_context_cmp | Compare two file contexts, return 0 if equivalent. | selinux.h |
selinux_file_context_homedir_path | Return path to file under the policy root directory. | selinux.h |
selinux_file_context_local_path | Return path to file under the policy root directory. | selinux.h |
selinux_file_context_path | Return path to file under the policy root directory. | selinux.h |
selinux_file_context_subs_path | Return path to file under the policy root directory. | selinux.h |
selinux_file_context_verify | Verify the context of the file 'path' against policy. Return 0 if correct. | selinux.h |
selinux_getenforcemode | Reads the /etc/selinux/config file and determines whether the machine should be started in enforcing (1), permissive (0) or disabled (-1) mode. | selinux.h |
selinux_getpolicytype | Reads the /etc/selinux/config file and determines what the default policy for the machine is. Calling application must free policytype. | selinux.h |
selinux_homedir_context_path | Return path to file under the policy root directory. | selinux.h |
selinux_init_load_policy | Perform the initial policy load.
This function determines the desired enforcing mode, sets the the *enforce argument accordingly for the caller to use, sets the SELinux kernel enforcing status to match it, and loads the policy. It also internally handles the initial selinuxfs mount required to perform these actions. The function returns 0 if everything including the policy load succeeds. In this case, init is expected to re-exec itself in order to transition to the proper security context. Otherwise, the function returns -1, and init must check *enforce to determine how to proceed. If enforcing (*enforce > 0), then init should halt the system. Otherwise, init may proceed normally without a re-exec. |
selinux.h |
selinux_lsetfilecon_default | This function sets the file context on to the system defaults returns 0 on success. | selinux.h |
selinux_media_context_path | Return path to file under the policy root directory. | selinux.h |
selinux_mkload_policy | Make a policy image and load it.
This function provides a higher level interface for loading policy than security_load_policy, internally determining the right policy version, locating and opening the policy file, mapping it into memory, manipulating it as needed for current boolean settings and/or local definitions, and then calling security_load_policy to load it. 'preservebools' is a boolean flag indicating whether current policy boolean values should be preserved into the new policy (if 1) or reset to the saved policy settings (if 0). The former case is the default for policy reloads, while the latter case is an option for policy reloads but is primarily for the initial policy load. |
selinux.h |
selinux_netfilter_context_path | Returns path to the netfilter_context file under the policy root directory. | selinux.h |
selinux_path | Returns path to the policy root directory. | selinux.h |
selinux_policy_root | Reads the /etc/selinux/config file and returns the top level directory. | selinux.h |
selinux_raw_context_to_color | Perform context translation between security contexts and display colors. Returns a space-separated list of ten ten hex RGB triples prefixed by hash marks, e.g. "#ff0000". Caller must free the resulting string via free(). Returns -1 upon an error or 0 otherwise. | selinux.h |
selinux_raw_to_trans_context | Perform context translation between the human-readable format ("translated") and the internal system format ("raw"). Caller must free the resulting context via freecon. Returns -1 upon an error or 0 otherwise. If passed NULL, sets the returned context to NULL and returns 0. | selinux.h |
selinux_removable_context_path | Return path to file under the policy root directory. | selinux.h |
selinux_reset_config | Force a reset of the loaded configuration. Not thread-safe. | selinux.h |
selinux_securetty_types_path | Return path to the securetty_types file under the policy root directory. | selinux.h |
selinux_sepgsql_context_path | Return path to the sepgsql_context file under the policy root directory. | selinux.h |
selinux_set_callback | Sets up a call back for the following events:
SELINUX_CB_LOG - to add additional info to audit log. SELINUX_CB_AUDIT - to add additional audit info when using calls like avc_has_perm that can cause an audit evet to be generated. SELINUX_CB_VALIDATE - to validate a context (used by setfiles for setting contexts on policies that are not active - see setfiles.c). SELINUX_CB_SETENFORCE - to run user defined functions whenever the state changes. SELINUX_CB_POLICYLOAD - to run user defined functions whenever the policy is reloaded. |
selinux.h |
selinux_set_mapping | Userspace class mapping support. | selinux.h |
selinux_trans_to_raw_context | Perform context translation between the human-readable format ("translated") and the internal system format ("raw"). Caller must free the resulting context via freecon. Returns -1 upon an error or 0 otherwise. If passed NULL, sets the returned context to NULL and returns 0. | selinux.h |
selinux_translations_path | Return path to setrans.conf file under the policy root directory. | selinux.h |
selinux_user_contexts_path | Return path to file under the policy root directory. | selinux.h |
selinux_users_path | Return path to file under the policy root directory. | selinux.h |
selinux_usersconf_path | Return path to file under the policy root directory. | selinux.h |
selinux_virtual_domain_context_path | Return path to file under the policy root directory. | selinux.h |
selinux_virtual_image_context_path | Return path to file under the policy root directory. | selinux.h |
selinux_x_context_path | Return path to x_context file under the policy root directory. | selinux.h |
set_matchpathcon_canoncon | Same as set_matchpathcon_invalidcon but also allows canonicalization of the context, by changing *context to refer to the canonical form. If not set, and invalidcon is also not set, then this defaults to calling security_canonicalize_context(). | selinux.h |
set_matchpathcon_flags | Set flags controlling operation of matchpathcon_init or matchpathcon:
MATCHPATHCON_BASEONLY - Only process the base file_contexts file. MATCHPATHCON_NOTRANS - Do not perform any context translation. MATCHPATHCON_VALIDATE - Validate/canonicalize contexts at init time. |
selinux.h |
set_matchpathcon_invalidcon | Set the function used by matchpathcon_init when checking the validity of a context in the file_contexts configuration. If not set, then this defaults to a test based on security_check_context(). The function is also responsible for reporting any such error, and may include the 'path' and 'lineno' in such error messages. | selinux.h |
set_matchpathcon_printf | Set the function used by matchpathcon_init when displaying errors about the file_contexts configuration. If not set, then this defaults to fprintf(stderr, fmt, ...). | selinux.h |
set_selinuxmnt | Set the path to the selinuxfs mount point explicitly. Normally, this is determined automatically during libselinux initialization, but this is not always possible, e.g. for /sbin/init which performs the initial mount of selinuxfs. | selinux.h |
setcon
setcon_raw |
Set the current security context to con.
Note that use of this function requires that the entire application be trusted to maintain any desired separation between the old and new security contexts, unlike exec-based transitions performed via setexeccon. When possible, decompose your application and use setexeccon()+execve() instead. Note that the application may lose access to its open descriptors as a result of a setcon() unless policy allows it to use descriptors opened by the old context. |
selinux.h |
setexeccon
setexeccon_raw |
Set exec security context for the next execve. Call with NULL if you want to reset to the default. | selinux.h |
setfilecon
setfilecon_raw |
Wrapper for the xattr API - Set file context. | selinux.h |
setfscreatecon
setfscreatecon_raw |
Set the fscreate security context for subsequent file creations. Call with NULL if you want to reset to the default. | selinux.h |
setkeycreatecon
setkeycreatecon_raw |
Set the keycreate security context for subsequent key creations. Call with NULL if you want to reset to the default. | selinux.h |
setsockcreatecon
setsockcreatecon_raw |
Set the sockcreate security context for subsequent socket creations. Call with NULL if you want to reset to the default. | selinux.h |
sidget (deprecated) | From 2.0.86 this is a no-op. | avc.h |
sidput (deprecated) | From 2.0.86 this is a no-op. | avc.h |
string_to_av_perm | Convert string names to access vector permissions. | selinux.h |
string_to_security_class | Convert string names to security class values. | selinux.h |