Man page - selinux_status_policyload(3)
Packages contas this manual
- security_compute_relabel(3)
- selinux_restorecon_get_skipped_errors(3)
- getpidprevcon(3)
- setexeccon_raw(3)
- security_get_boolean_active(3)
- security_disable(3)
- getfilecon(3)
- matchpathcon_init(3)
- avc_context_to_sid(3)
- selinux_path(3)
- avc_sid_to_context(3)
- security_load_policy(3)
- selinux_restorecon_set_alt_rootpath(3)
- selabel_lookup_best_match(3)
- selinux_file_context_homedir_path(3)
- selinux_getenforcemode(3)
- selinux_check_access(3)
- selinux_check_passwd_access(3)
- security_compute_av_raw(3)
- security_get_checkreqprot(3)
- selinux_status_policyload(3)
- security_av_perm_to_string(3)
- avc_add_callback(3)
- getexeccon(3)
- getpidprevcon_raw(3)
- matchpathcon_checkmatches(3)
- selabel_open(3)
- getpeercon(3)
- getfscreatecon_raw(3)
- selinux_mkload_policy(3)
- selinux_status_close(3)
- matchpathcon_index(3)
- avc_destroy(3)
- mode_to_security_class(3)
- security_get_boolean_names(3)
- security_class_to_string(3)
- selabel_close(3)
- security_deny_unknown(3)
- security_setenforce(3)
- setfilecon_raw(3)
- security_check_context(3)
- security_av_string(3)
- selinux_default_type_path(3)
- fini_selinuxmnt(3)
- getseuserbyname(3)
- getexeccon_raw(3)
- avc_compute_create(3)
- matchpathcon_fini(3)
- get_ordered_context_list(3)
- set_matchpathcon_flags(3)
- fgetfilecon_raw(3)
- avc_av_stats(3)
- context_type_get(3)
- fsetfilecon(3)
- fsetfilecon_raw(3)
- string_to_security_class(3)
- context_new(3)
- selinux_user_contexts_path(3)
- setcon(3)
- selinux_policy_root(3)
- freeconary(3)
- avc_netlink_close(3)
- selinux_media_context_path(3)
- selinux_failsafe_context_path(3)
- lsetfilecon_raw(3)
- avc_open(3)
- get_default_context_with_rolelevel(3)
- selinux_usersconf_path(3)
- avc_get_initial_sid(3)
- selabel_lookup(3)
- security_compute_av_flags_raw(3)
- selinux_restorecon_parallel(3)
- selinux_status_open(3)
- avc_entry_ref_init(3)
- manual_user_enter_context(3)
- getfscreatecon(3)
- context_role_get(3)
- selinux_binary_policy_path(3)
- security_compute_member_raw(3)
- fgetfilecon(3)
- selinux_securetty_types_path(3)
- security_set_boolean(3)
- selinux_file_context_verify(3)
- selinux_status_deny_unknown(3)
- context_free(3)
- selinux_check_securetty_context(3)
- avc_get_initial_context(3)
- avc_netlink_loop(3)
- getcon_raw(3)
- init_selinuxmnt(3)
- context_str(3)
- selabel_partial_match(3)
- selinux_default_context_path(3)
- setsockcreatecon(3)
- setfilecon(3)
- selinux_netfilter_context_path(3)
- get_default_context_with_role(3)
- selinux_init_load_policy(3)
- query_user_context(3)
- setfscreatecon_raw(3)
- get_ordered_context_list_with_level(3)
- getsockcreatecon_raw(3)
- is_context_customizable(3)
- getkeycreatecon(3)
- getprevcon(3)
- is_selinux_mls_enabled(3)
- set_matchpathcon_invalidcon(3)
- avc_compute_member(3)
- get_default_context(3)
- security_compute_user_raw(3)
- selinux_restorecon_set_sehandle(3)
- selabel_get_digests_all_partial_matches(3)
- selabel_digest(3)
- selinux_getpolicytype(3)
- security_getenforce(3)
- setkeycreatecon(3)
- selinux_set_callback(3)
- getcon(3)
- context_role_set(3)
- security_check_context_raw(3)
- context_type_set(3)
- selinux_restorecon_set_exclude_list(3)
- getfilecon_raw(3)
- lsetfilecon(3)
- print_access_vector(3)
- getpidcon(3)
- get_default_context_with_level(3)
- selinux_colors_path(3)
- sidput(3)
- security_validatetrans_raw(3)
- context_range_set(3)
- selinux_removable_context_path(3)
- setexeccon(3)
- matchmediacon(3)
- avc_audit(3)
- selinux_file_context_path(3)
- security_compute_create_name_raw(3)
- avc_has_perm_noaudit(3)
- lgetfilecon(3)
- string_to_av_perm(3)
- avc_netlink_release_fd(3)
- selinux_set_mapping(3)
- avc_sid_stats(3)
- security_mkload_policy(3)
- selinux_restorecon_default_handle(3)
- setcon_raw(3)
- avc_netlink_open(3)
- sidget(3)
- selabel_lookup_best_match_raw(3)
- selinux_restorecon_xattr(3)
- is_selinux_enabled(3)
- avc_netlink_check_nb(3)
- security_compute_av(3)
- security_get_initial_context_raw(3)
- selinux_x_context_path(3)
- context_user_get(3)
- selabel_stats(3)
- security_load_booleans(3)
- security_reject_unknown(3)
- security_compute_relabel_raw(3)
- security_commit_booleans(3)
- getprevcon_raw(3)
- setfscreatecon(3)
- getkeycreatecon_raw(3)
- avc_reset(3)
- context_range_get(3)
- getpidcon_raw(3)
- security_get_boolean_pending(3)
- freecon(3)
- avc_cleanup(3)
- selinux_homedir_context_path(3)
- selinux_boolean_sub(3)
- set_matchpathcon_printf(3)
- selinux_sepgsql_context_path(3)
- security_set_boolean_list(3)
- setsockcreatecon_raw(3)
- selinux_status_updated(3)
- avc_init(3)
- set_selinuxmnt(3)
- selinux_restorecon(3)
- rpm_execcon(3)
- selinux_contexts_path(3)
- setexecfilecon(3)
- getsockcreatecon(3)
- context_user_set(3)
- security_compute_create_name(3)
- selinux_lsetfilecon_default(3)
- selinux_file_context_local_path(3)
- selinux_raw_context_to_color(3)
- get_default_type(3)
- avc_has_perm(3)
- avc_netlink_acquire_fd(3)
- security_compute_user(3)
- matchpathcon(3)
- matchpathcon_filespec_destroy(3)
- avc_cache_stats(3)
- security_validatetrans(3)
- selinux_set_policy_root(3)
- matchpathcon_filespec_add(3)
- security_compute_member(3)
- selinux_file_context_cmp(3)
- security_compute_create(3)
- matchpathcon_filespec_eval(3)
- setkeycreatecon_raw(3)
- selinux_current_policy_path(3)
- getpeercon_raw(3)
- lgetfilecon_raw(3)
- security_policyvers(3)
- selinux_status_getenforce(3)
- security_get_initial_context(3)
- security_compute_create_raw(3)
- selabel_lookup_raw(3)
- security_compute_av_flags(3)
apt-get install libselinux1-dev
Manual
| selinux_status_open(3) | SELinux API documentation | selinux_status_open(3) |
NAME
selinux_status_open, selinux_status_close, selinux_status_updated, selinux_status_getenforce, selinux_status_policyload and selinux_status_deny_unknown - reference the SELinux kernel status without invocation of system calls
SYNOPSIS
#include <selinux/avc.h>
int selinux_status_open(int fallback);
void selinux_status_close(void);
int selinux_status_updated(void);
int selinux_status_getenforce(void);
int selinux_status_policyload(void);
int selinux_status_deny_unknown(void);
DESCRIPTION
Linux 2.6.37 or later provides a SELinux kernel status page; being mostly placed on /sys/fs/selinux/status entry. It enables userspace applications to mmap this page with read-only mode, then it informs some status without system call invocations.
In some cases that a userspace application tries to apply heavy frequent access control; such as row-level security in databases, it will face unignorable cost to communicate with kernel space to check invalidation of userspace avc.
These functions provides applications a way to know some kernel events without system-call invocation or worker thread for monitoring.
selinux_status_open() tries to open(2) /sys/fs/selinux/status and mmap(2) it in read-only mode. The file-descriptor and pointer to the page shall be stored internally; Don't touch them directly. Set 1 on the fallback argument to handle a case of older kernels without kernel status page support. In this case, this function tries to open a netlink socket using avc_netlink_open(3) and overwrite corresponding callbacks (setenforce and policyload). Thus, we need to pay attention to the interaction with these interfaces, when fallback mode is enabled.
selinux_status_close() unmap the kernel status page and close its file descriptor, or close the netlink socket if fallbacked.
selinux_status_updated() processes status update events. There are two kinds of status updates. setenforce events will change the effective enforcing state used within the AVC, and policyload events will result in a cache flush.
This function returns 0 if there have been no updates since the last call, 1 if there have been updates since the last call, or -1 on error.
selinux_status_getenforce() returns 0 if SELinux is running in permissive mode, 1 if enforcing mode, or -1 on error. Same as security_getenforce(3) except with or without system call invocation.
selinux_status_policyload() returns times of policy reloaded on the running system, or -1 on error. Note that it is not a reliable value on fallback-mode until it receive the first event message via netlink socket. Thus, don't use this value to know actual times of policy reloaded.
selinux_status_deny_unknown() returns 0 if SELinux treats policy queries on undefined object classes or permissions as being allowed, 1 if such queries are denied, or -1 on error.
Also note that these interfaces are not thread-safe, so you have to protect them from concurrent calls using exclusive locks when multiple threads are performing.
RETURN VALUE
selinux_status_open() returns 0 or 1 on success. 1 means we are ready to use these interfaces, but netlink socket was opened as fallback instead of the kernel status page. On error, -1 shall be returned.
Any other functions with a return value shall return its characteristic value as described above, or -1 on errors.
SEE ALSO
mmap(2), avc_netlink_open(3), security_getenforce(3), security_deny_unknown(3)
| 22 January 2011 | kaigai@ak.jp.nec.com |