selinux_set_mapping(3)

1selinux_set_mapping(3)     SELinux API documentation    selinux_set_mapping(3)
2
3
4

NAME

6       selinux_set_mapping  -  establish  dynamic  object class and permission
7       mapping.
8

SYNOPSIS

10       #include <selinux/selinux.h>
11
12       struct security_class_mapping {
13            const char *name;
14            const char *perms[];
15       };
16
17       int selinux_set_mapping(struct security_class_mapping *map);
18
19

DESCRIPTION

21       selinux_set_mapping establishes a mapping from a user-provided ordering
22       of  object  classes and permissions to the numbers actually used by the
23       loaded system policy.  Use of this function is  highly  preferred  over
24       the  generated constants in the libselinux header files, as this method
25       allows the policy's class and permission values to change over time.
26
27       After the mapping is established, all libselinux functions that operate
28       on  class  and  permission values take the user-provided numbers, which
29       are determined as follows:
30
31       The map argument consists of an array of security_class_mapping  struc‐
32       tures,  which  must  be  terminated  by  a structure having a NULL name
33       field.  Except for this last structure, the name field should refer  to
34       the  string  name of an object class, and the corresponding perms field
35       should refer to an array of permission bit names terminated by  a  NULL
36       string.
37
38       The object classes named in the mapping and the bit indexes of each set
39       of permission bits named in the mapping are numbered in order  starting
40       from  1.   These numbers are the values that should be passed to subse‐
41       quent libselinux calls.
42
43

RETURN VALUE

45       Zero is returned on success.  On error, -1 is returned and errno is set
46       appropriately.
47
48

ERRORS

50       EINVAL One of the class or permission names requested in the mapping is
51              not present in the loaded policy.
52
53       ENOMEM An attempt to allocate memory failed.
54
55

EXAMPLE

57              struct security_class_mapping map[] = {
58                  { "file", { "create", "unlink", "read", "write", NULL } },
59                  { "socket", { "bind", NULL } },
60                  { "process", { "signal", NULL } },
61                  { NULL }
62              };
63
64              if (selinux_set_mapping(map) < 0)
65                  exit(1);
66
67       In this example, after the call has succeeded,  classes  file,  socket,
68       and  process  will  be identified by 1, 2 and 3, respectively.  Permis‐
69       sions create, unlink, read, and write (for  the  file  class)  will  be
70       identified by 1, 2, 4, and 8 respectively.  Classes and permissions not
71       listed in the mapping cannot be used.
72
73

AUTHOR

75       Eamon Walsh <ewalsh@tycho.nsa.gov>
76
77