1security_getenforce(3)     SELinux API documentation    security_getenforce(3)
2
3
4

NAME

6       security_getenforce,  security_setenforce, security_deny_unknown, secu‐
7       rity_reject_unknown, security_get_checkreqprot - get or set the enforc‐
8       ing state of SELinux
9

SYNOPSIS

11       #include <selinux/selinux.h>
12
13       int security_getenforce(void);
14
15       int security_setenforce(int value);
16
17       int security_deny_unknown(void);
18
19       int security_reject_unknown(void);
20
21       int security_get_checkreqprot(void);
22

DESCRIPTION

24       security_getenforce()  returns  0  if  SELinux is running in permissive
25       mode, 1 if it is running in enforcing mode, and -1 on error.
26
27       security_setenforce() sets SELinux to enforcing mode if the value 1  is
28       passed  in,  and sets it to permissive mode if 0 is passed in.  On suc‐
29       cess 0 is returned, on error -1 is returned.
30
31       security_deny_unknown() returns 0 if SELinux treats policy  queries  on
32       undefined  object  classes  or  permissions as being allowed, 1 if such
33       queries are denied, and -1 on error.
34
35       security_reject_unknown() returns 1 if the  current  policy  was  built
36       with  handle-unknown=reject  and SELinux would reject loading it, if it
37       did not define all kernel  object  classes  and  permissions.  In  this
38       state,  when  selinux_set_mapping() and selinux_check_access() are used
39       with an undefined userspace class or permission, an error  is  returned
40       and errno is set to EINVAL.
41
42       It  returns 0 if the current policy was built with handle-unknown=allow
43       or handle-unknown=deny. In  this  state,  policy  queries  are  treated
44       according to security_deny_unknown().  -1 is returned on error.
45
46       security_get_checkreqprot() can be used to determine whether SELinux is
47       configured to check the protection requested by the application or  the
48       actual  protection  that  will  be applied by the kernel (including the
49       effects of READ_IMPLIES_EXEC) on mmap and mprotect calls.  It returns 0
50       if  SELinux  checks the actual protection, 1 if it checks the requested
51       protection, and -1 on error.
52

SEE ALSO

54       selinux(8)
55
56
57
58russell@coker.com.au            1 January 2004          security_getenforce(3)
Impressum