1matchpathcon(3)           SE Linux API documentation           matchpathcon(3)
2
3
4

NAME

6       matchpathcon  - get the default SELinux security context for the speci‐
7       fied path from the file contexts configuration.
8
9

SYNOPSIS

11       #include <selinux/selinux.h>
12
13       int matchpathcon_init(const char *path);
14
15       int matchpathcon_fini(void);
16
17       int matchpathcon(const  char  *path,  mode_t  mode,  security_context_t
18       *con);
19
20
21       void set_matchpathcon_printf(void (*f)(const char *fmt, ...));
22
23       void  set_matchpathcon_invalidcon(int  (*f)(const  char *path, unsigned
24       lineno, char * context));
25
26       void set_matchpathcon_flags(unsigned int flags);
27
28

DESCRIPTION

30       matchpathcon_init loads the file contexts  configuration  specified  by
31       path  into memory for use by subsequent matchpathcon calls.  If path is
32       NULL, then the active file contexts configuration is loaded by default,
33       i.e.  the  path  returned  by selinux_file_context_path(3).  Unless the
34       MATCHPATHCON_BASEONLY flag has  been  set  via  set_matchpathcon_flags,
35       files  with  the same path prefix but a .homedirs and .local suffix are
36       also looked up and loaded if present.  These files provide  dynamically
37       generated  entries  for  user home directories and for local customiza‐
38       tions.
39
40
41       matchpathcon_fini frees the memory allocated by a prior call to  match‐
42       pathcon_init.  This function can be used to free and reset the internal
43       state between multiple matchpathcon_init calls, or to free memory  when
44       finished using matchpathcon.
45
46
47       matchpathcon  matches  the specified pathname and mode against the file
48       contexts configuration and sets the security context con  to  refer  to
49       the  resulting context. The caller must free the returned security con‐
50       text con using freecon when finished using it.  mode can be 0  to  dis‐
51       able mode matching, but should be provided whenever possible, as it may
52       affect the matching.  Only the file format bits (i.e. the file type) of
53       the  mode  are used.  If matchpathcon_init has not already been called,
54       then this function will call it upon its first invocation with  a  NULL
55       path, defaulting to the active file contexts configuration.
56
57
58       set_matchpathcon_printf  sets  the  function  used by matchpathcon_init
59       when displaying errors about the file contexts configuration.   If  not
60       set,  then this defaults to fprintf(stderr, fmt, ...).  This can be set
61       to redirect error reporting to a different destination.
62
63
64       set_matchpathcon_invalidcon sets the function used by matchpathcon_init
65       when checking the validity of a context in the file contexts configura‐
66       tion.  If not set,  then  this  defaults  to  a  test  based  on  secu‐
67       rity_check_context(3),  which checks validity against the active policy
68       on a SELinux system.  This can be set to instead perform checking based
69       on  a binary policy file, e.g. using sepol_check_context(3), as is done
70       by setfiles -c.  The function is also  responsible  for  reporting  any
71       such error, and may include the path and lineno in such error messages.
72
73
74       set_matchpathcon_flags  sets  flags controlling the operation of match‐
75       pathcon_init or matchpathcon.  If  the  MATCHPATHCON_BASEONLY  flag  is
76       set,  then  only the base file contexts configuration file will be pro‐
77       cessed, not any dynamically generated entries or local customizations.
78
79
80

RETURN VALUE

82       Returns 0 on success or -1 otherwise.
83
84

SEE ALSO

86       selinux(8), freecon(3), setfilecon(3), setfscreatecon(3)
87
88
89
90sds@tycho.nsa.gov                16 March 2005                 matchpathcon(3)
Impressum