1selinux_set_mapping(3) SELinux API documentation selinux_set_mapping(3)
2
3
4
6 selinux_set_mapping - establish dynamic object class and permission
7 mapping.
8
10 #include <selinux/selinux.h>
11
12 struct security_class_mapping {
13 const char *name;
14 const char *perms[];
15 };
16
17 int selinux_set_mapping(struct security_class_mapping *map);
18
19
21 selinux_set_mapping establishes a mapping from a user-provided ordering
22 of object classes and permissions to the numbers actually used by the
23 loaded system policy. Use of this function is highly preferred over
24 the generated constants in the libselinux header files, as this method
25 allows the policy's class and permission values to change over time.
26
27 After the mapping is established, all libselinux functions that operate
28 on class and permission values take the user-provided numbers, which
29 are determined as follows:
30
31 The map argument consists of an array of security_class_mapping struc‐
32 tures, which must be terminated by a structure having a NULL name
33 field. Except for this last structure, the name field should refer to
34 the string name of an object class, and the corresponding perms field
35 should refer to an array of permission bit names terminated by a NULL
36 string.
37
38 The object classes named in the mapping and the bit indexes of each set
39 of permission bits named in the mapping are numbered in order starting
40 from 1. These numbers are the values that should be passed to subse‐
41 quent libselinux calls.
42
43
45 Zero is returned on success. On error, -1 is returned and errno is set
46 appropriately.
47
48
50 EINVAL One of the class or permission names requested in the mapping is
51 not present in the loaded policy.
52
53 ENOMEM An attempt to allocate memory failed.
54
55
57 struct security_class_mapping map[] = {
58 { "file", { "create", "unlink", "read", "write", NULL } },
59 { "socket", { "bind", NULL } },
60 { "process", { "signal", NULL } },
61 { NULL }
62 };
63
64 if (selinux_set_mapping(map) < 0)
65 exit(1);
66
67 In this example, after the call has succeeded, classes file, socket,
68 and process will be identified by 1, 2 and 3, respectively. Permis‐
69 sions create, unlink, read, and write (for the file class) will be
70 identified by 1, 2, 4, and 8 respectively. Classes and permissions not
71 listed in the mapping cannot be used.
72
73
75 Eamon Walsh <ewalsh@tycho.nsa.gov>
76
77
79 avc_open(8), selinux(8)
80
81
82
83 12 Jun 2008 selinux_set_mapping(3)