1matchpathcon(3) SE Linux API documentation matchpathcon(3)
2
6 matchpathcon - get the default SELinux security context for the speci‐
7 fied path from the file contexts configuration.
8
11 #include <selinux/selinux.h>
12 int matchpathcon_init(const char *path);
14 int matchpathcon_fini(void);
16 int matchpathcon(const char *path, mode_t mode, security_context_t
18 *con);
19 void set_matchpathcon_printf(void (*f)(const char *fmt, ...));
22 void set_matchpathcon_invalidcon(int (*f)(const char *path, unsigned
24 lineno, char * context));
25 void set_matchpathcon_flags(unsigned int flags);
27
30 matchpathcon_init loads the file contexts configuration specified by
31 path into memory for use by subsequent matchpathcon calls. If path is
32 NULL, then the active file contexts configuration is loaded by default,
33 i.e. the path returned by selinux_file_context_path(3). Unless the
34 MATCHPATHCON_BASEONLY flag has been set via set_matchpathcon_flags,
35 files with the same path prefix but a .homedirs and .local suffix are
36 also looked up and loaded if present. These files provide dynamically
37 generated entries for user home directories and for local customiza‐
38 tions.
39 matchpathcon_fini frees the memory allocated by a prior call to match‐
42 pathcon_init. This function can be used to free and reset the internal
43 state between multiple matchpathcon_init calls, or to free memory when
44 finished using matchpathcon.
45 matchpathcon matches the specified pathname and mode against the file
48 contexts configuration and sets the security context con to refer to
49 the resulting context. The caller must free the returned security con‐
50 text con using freecon when finished using it. mode can be 0 to dis‐
51 able mode matching, but should be provided whenever possible, as it may
52 affect the matching. Only the file format bits (i.e. the file type) of
53 the mode are used. If matchpathcon_init has not already been called,
54 then this function will call it upon its first invocation with a NULL
55 path, defaulting to the active file contexts configuration.
56 set_matchpathcon_printf sets the function used by matchpathcon_init
59 when displaying errors about the file contexts configuration. If not
60 set, then this defaults to fprintf(stderr, fmt, ...). This can be set
61 to redirect error reporting to a different destination.
62 set_matchpathcon_invalidcon sets the function used by matchpathcon_init
65 when checking the validity of a context in the file contexts configura‐
66 tion. If not set, then this defaults to a test based on secu‐
67 rity_check_context(3), which checks validity against the active policy
68 on a SELinux system. This can be set to instead perform checking based
69 on a binary policy file, e.g. using sepol_check_context(3), as is done
70 by setfiles -c. The function is also responsible for reporting any
71 such error, and may include the path and lineno in such error messages.
72 set_matchpathcon_flags sets flags controlling the operation of match‐
75 pathcon_init or matchpathcon. If the MATCHPATHCON_BASEONLY flag is
76 set, then only the base file contexts configuration file will be pro‐
77 cessed, not any dynamically generated entries or local customizations.
78
82 Returns 0 on success or -1 otherwise.
83
86 selinux(8), freecon(3), setfilecon(3), setfscreatecon(3)
87sds@tycho.nsa.gov 16 March 2005 matchpathcon(3)