1avc_open(3)                SELinux API documentation               avc_open(3)
2
3
4

NAME

6       avc_open,  avc_destroy,  avc_reset, avc_cleanup - userspace SELinux AVC
7       setup and teardown
8

SYNOPSIS

10       #include <selinux/selinux.h>
11       #include <selinux/avc.h>
12
13       int avc_open(struct selinux_opt *options, unsigned nopt);
14
15       void avc_destroy(void);
16
17       int avc_reset(void);
18
19       void avc_cleanup(void);
20

DESCRIPTION

22       avc_open() initializes the userspace AVC and must be called before  any
23       other AVC operation can be performed.
24
25       avc_destroy()  destroys  the userspace AVC, freeing all internal memory
26       structures.  After this call has been made, avc_open() must  be  called
27       again  before  any AVC operations can be performed.  avc_destroy() also
28       closes the SELinux status page, which might have been  opened  manually
29       by selinux_status_open(3).
30
31       avc_reset()  flushes the userspace AVC, causing it to forget any cached
32       access decisions.  The userspace AVC normally calls this function auto‐
33       matically when needed, see NETLINK NOTIFICATION below.
34
35       avc_cleanup()  attempts to free unused memory within the userspace AVC,
36       but does not flush any cached access decisions.   Under  normal  opera‐
37       tion, calling this function should not be necessary.
38

OPTIONS

40       The  userspace  AVC obeys callbacks set via selinux_set_callback(3), in
41       particular the logging and audit callbacks.
42
43       The options which may be passed to avc_open() include the following:
44
45       AVC_OPT_SETENFORCE
46              This option forces the userspace AVC into enforcing mode if  the
47              option value is non-NULL; permissive mode otherwise.  The system
48              enforcing mode will be ignored.
49

KERNEL STATUS PAGE

51       Linux kernel version 2.6.37 supports the SELinux  kernel  status  page,
52       enabling  userspace  applications  to  mmap(2)  SELinux status state in
53       read-only mode to avoid system calls during the cache hit code path.
54
55       avc_open() calls selinux_status_open(3) to initialize the selinux  sta‐
56       tus state.
57
58       avc_has_perm(3)  and  selinux_check_access(3) both check for status up‐
59       dates through calls to selinux_status_updated(3) at the start  of  each
60       permission query and take the appropriate action.
61
62       Two  status  types  are  currently implemented.  setenforce events will
63       change the effective enforcing state used within the AVC,  and  policy‐
64       load events will result in a cache flush.
65

67       In the event that the kernel status page is not successfully mmap(2)'ed
68       the AVC will default to the netlink fallback mechanism, which  opens  a
69       netlink socket for receiving status updates.  setenforce and policyload
70       events will have the same results as for the  status  page  implementa‐
71       tion, but all status update checks will now require a system call.
72

RETURN VALUE

74       Functions  with a return value return zero on success.  On error, -1 is
75       returned and errno is set appropriately.
76

AUTHOR

78       Eamon Walsh <ewalsh@tycho.nsa.gov>
79

SEE ALSO

81       selinux(8),    selinux_check_access(3),    avc_has_perm(3),    avc_con‐
82       text_to_sid(3),  avc_cache_stats(3),  avc_add_callback(3), selinux_sta‐
83       tus_open(3), selinux_status_updated(3), selinux_set_callback(3),  secu‐
84       rity_compute_av(3)
85
86
87
88                                  12 Jun 2008                      avc_open(3)
Impressum