1selinux_set_mapping(3)     SELinux API documentation    selinux_set_mapping(3)
2
3
4

NAME

6       selinux_set_mapping  -  establish  dynamic  object class and permission
7       mapping
8

SYNOPSIS

10       #include <selinux/selinux.h>
11
12       struct security_class_mapping {
13            const char *name;
14            const char *perms[];
15       };
16
17       int selinux_set_mapping(struct security_class_mapping *map);
18

DESCRIPTION

20       selinux_set_mapping() establishes a mapping from a user-provided order‐
21       ing  of  object classes and permissions to the numbers actually used by
22       the loaded system policy.  Use of this  function  is  highly  preferred
23       over  the  generated  constants in the libselinux header files, as this
24       method allows the policy's class and permission values to  change  over
25       time.
26
27       After the mapping is established, all libselinux functions that operate
28       on class and permission values take the  user-provided  numbers,  which
29       are determined as follows:
30
31       The  map argument consists of an array of security_class_mapping struc‐
32       tures, which must be terminated by  a  structure  having  a  NULL  name
33       field.   Except for this last structure, the name field should refer to
34       the string name of an object class, and the corresponding  perms  field
35       should  refer  to an array of permission bit names terminated by a NULL
36       string.
37
38       The object classes named in the mapping and the bit indexes of each set
39       of  permission bits named in the mapping are numbered in order starting
40       from 1.  These numbers are the values that should be passed  to  subse‐
41       quent libselinux calls.
42

RETURN VALUE

44       Zero is returned on success.  On error, -1 is returned and errno is set
45       appropriately.
46

ERRORS

48       EINVAL One of the class or permission names requested in the mapping is
49              not present in the loaded policy.
50
51       ENOMEM An attempt to allocate memory failed.
52

EXAMPLE

54              struct security_class_mapping map[] = {
55                  { "file", { "create", "unlink", "read", "write", NULL } },
56                  { "socket", { "bind", NULL } },
57                  { "process", { "signal", NULL } },
58                  { NULL }
59              };
60
61              if (selinux_set_mapping(map) < 0)
62                  exit(1);
63
64       In  this  example,  after the call has succeeded, classes file, socket,
65       and process will be identified by 1, 2 and  3,  respectively.   Permis‐
66       sions  create,  unlink,  read,  and  write (for the file class) will be
67       identified by 1, 2, 4, and 8 respectively.  Classes and permissions not
68       listed in the mapping cannot be used.
69

AUTHOR

71       Eamon Walsh <ewalsh@tycho.nsa.gov>
72

SEE ALSO

74       avc_open(8), selinux(8)
75
76
77
78                                  12 Jun 2008           selinux_set_mapping(3)
Impressum