1security_compute_av(3)     SELinux API documentation    security_compute_av(3)
2
3
4

NAME

6       security_compute_av,  security_compute_av_flags,  security_compute_cre‐
7       ate, security_compute_relabel,  security_compute_member,  security_com‐
8       pute_user,  security_get_initial_context  -  query  the  SELinux policy
9       database in the kernel.
10
11

SYNOPSIS

13       #include <selinux/selinux.h>
14
15       #include <selinux/flask.h>
16
17       int  security_compute_av(security_context_t  scon,   security_context_t
18       tcon,   security_class_t   tclass,  access_vector_t  requested,  struct
19       av_decision *avd);
20
21       int  security_compute_av_flags(security_context_t  scon,  security_con‐
22       text_t tcon, security_class_t tclass, access_vector_t requested, struct
23       av_decision *avd);
24
25       int security_compute_create(security_context_t scon, security_context_t
26       tcon, security_class_t tclass, security_context_t *newcon);
27
28       int   security_compute_relabel(security_context_t  scon,  security_con‐
29       text_t tcon, security_class_t tclass, security_context_t *newcon);
30
31       int security_compute_member(security_context_t scon, security_context_t
32       tcon, security_class_t tclass, security_context_t *newcon);
33
34       int  security_compute_user(security_context_t  scon,  const char *user‐
35       name, security_context_t **con);
36
37       int security_get_initial_context(const char  *name,  security_context_t
38       *con);
39
40       int selinux_check_passwd_access(access_vector_t requested);
41
42       int checkPasswdAccess(access_vector_t requested);
43
44

DESCRIPTION

46       security_compute_av  queries whether the policy permits the source con‐
47       text scon to access the target context tcon via class tclass  with  the
48       requested access vector.  The decision is returned in avd.
49
50       security_compute_av_flags is identical to security_compute_av but addi‐
51       tionally sets the flags field of avd.  Currently one flag is supported:
52       SELINUX_AVD_FLAGS_PERMISSIVE,  which indicates the decision is computed
53       on a permissive domain.
54
55       security_compute_create is used to compute a context to use for  label‐
56       ing a new object in a particular class based on a SID pair.
57
58       security_compute_relabel is used to compute the new context to use when
59       relabeling an object, it is used in the pam_selinux.so source  and  the
60       newrole  source  to  determine  the  correct label for the tty at login
61       time, but can be used for other things.
62
63       security_compute_member is used to compute  the  context  to  use  when
64       labeling a polyinstantiated object instance.
65
66       security_compute_user  is  used  to  determine the set of user contexts
67       that can be reached from  a  source  context.  It  is  mainly  used  by
68       get_ordered_context_list.
69
70       security_get_initial_context  is  used  to  get the context of a kernel
71       initial security identifier specified by name
72
73       selinux_check_passwd_access is used to check for a  permission  in  the
74       passwd  class.   selinux_check_passwd_access  uses getprevcon() for the
75       source and target security contexts.
76
77       checkPasswdAccess     is     a     deprecated     alias     of      the
78       selinux_check_passwd_access function.
79
80

RETURN VALUE

82       Returns zero on success or -1 on error.
83
84

SEE ALSO

86       selinux(8), getcon(3), getfilecon(3), get_ordered_context_list(3)
87
88
89
90russell@coker.com.au            1 January 2004          security_compute_av(3)
Impressum