1avc_open(3)                SELinux API documentation               avc_open(3)
2
3
4

NAME

6       avc_open,  avc_destroy,  avc_reset, avc_cleanup - userspace SELinux AVC
7       setup and teardown
8

SYNOPSIS

10       #include <selinux/selinux.h>
11       #include <selinux/avc.h>
12
13       int avc_open(struct selinux_opt *options, unsigned nopt);
14
15       void avc_destroy(void);
16
17       int avc_reset(void);
18
19       void avc_cleanup(void);
20

DESCRIPTION

22       avc_open() initializes the userspace AVC and must be called before  any
23       other AVC operation can be performed.
24
25       avc_destroy()  destroys  the userspace AVC, freeing all internal memory
26       structures.  After this call has been made, avc_open() must  be  called
27       again before any AVC operations can be performed.
28
29       avc_reset()  flushes the userspace AVC, causing it to forget any cached
30       access decisions.  The userspace AVC normally calls this function auto‐
31       matically when needed, see NETLINK NOTIFICATION below.
32
33       avc_cleanup()  attempts to free unused memory within the userspace AVC,
34       but does not flush any cached access decisions.   Under  normal  opera‐
35       tion, calling this function should not be necessary.
36

OPTIONS

38       The  userspace  AVC obeys callbacks set via selinux_set_callback(3), in
39       particular the logging and audit callbacks.
40
41       The options which may be passed to avc_open() include the following:
42
43       AVC_OPT_SETENFORCE
44              This option forces the userspace AVC into enforcing mode if  the
45              option value is non-NULL; permissive mode otherwise.  The system
46              enforcing mode will be ignored.
47

KERNEL STATUS PAGE

49       Linux kernel version 2.6.37 supports the SELinux  kernel  status  page,
50       enabling  userspace  applications  to  mmap(2)  SELinux status state in
51       read-only mode to avoid system calls during the cache hit code path.
52
53       avc_open() calls selinux_status_open(3) to initialize the selinux  sta‐
54       tus state.
55
56       avc_has_perm(3)  and  selinux_check_access(3) both check for status up‐
57       dates through calls to selinux_status_updated(3) at the start  of  each
58       permission query and take the appropriate action.
59
60       Two  status  types  are  currently implemented.  setenforce events will
61       change the effective enforcing state used within the AVC,  and  policy‐
62       load events will result in a cache flush.
63
65       In the event that the kernel status page is not successfully mmap(2)'ed
66       the AVC will default to the netlink fallback mechanism, which  opens  a
67       netlink socket for receiving status updates.  setenforce and policyload
68       events will have the same results as for the  status  page  implementa‐
69       tion, but all status update checks will now require a system call.
70

RETURN VALUE

72       Functions  with a return value return zero on success.  On error, -1 is
73       returned and errno is set appropriately.
74

AUTHOR

76       Eamon Walsh <ewalsh@tycho.nsa.gov>
77

SEE ALSO

79       selinux(8),    selinux_check_access(3),    avc_has_perm(3),    avc_con‐
80       text_to_sid(3),  avc_cache_stats(3),  avc_add_callback(3), selinux_sta‐
81       tus_open(3), selinux_status_updated(3), selinux_set_callback(3),  secu‐
82       rity_compute_av(3)
83
84
85
86                                  12 Jun 2008                      avc_open(3)
Impressum