selinux.h source code [include/selinux/selinux.h]

1	#ifndef _SELINUX_H_
2	#define _SELINUX_H_
3
4	#include <stdint.h>
5	#include <sys/types.h>
6	#include <stdarg.h>
7	#include <asm/bitsperlong.h>
8
9	#ifdef __cplusplus
10	extern "C" {
11	#endif
12
13	/ Return 1 if we are running on a SELinux kernel, or 0 otherwise. /
14	extern int is_selinux_enabled(void);
15	/ Return 1 if we are running on a SELinux MLS kernel, or 0 otherwise. /
16	extern int is_selinux_mls_enabled(void);
17
18	/ No longer used; here for compatibility with legacy callers. /
19	typedef char *security_context_t
20	#ifdef __GNUC__
21	__attribute__ ((deprecated))
22	#endif
23	;
24
25	/ Free the memory allocated for a context by any of the below get* calls. /
26	extern void freecon(char * con);
27
28	/ Free the memory allocated for a context array by security_compute_user. /
29	extern void freeconary(char ** con);
30
31	/ Wrappers for the /proc/pid/attr API. /
32
33	/ Get current context, and set con to refer to it.
34	Caller must free via freecon. /*
35	extern int getcon(char ** con);
36	extern int getcon_raw(char ** con);
37
38	/ Set the current security context to con.*
39	Note that use of this function requires that the entire application
40	be trusted to maintain any desired separation between the old and new
41	security contexts, unlike exec-based transitions performed via setexeccon.
42	When possible, decompose your application and use setexeccon()+execve()
43	instead. Note that the application may lose access to its open descriptors
44	as a result of a setcon() unless policy allows it to use descriptors opened
45	by the old context. /*
46	extern int setcon(const char * con);
47	extern int setcon_raw(const char * con);
48
49	/ Get context of process identified by pid, and*
50	set con to refer to it. Caller must free via freecon. /
51	extern int getpidcon(pid_t pid, char ** con);
52	extern int getpidcon_raw(pid_t pid, char ** con);
53
54	/ Get previous context (prior to last exec), and set con to refer to it.
55	Caller must free via freecon. /*
56	extern int getprevcon(char ** con);
57	extern int getprevcon_raw(char ** con);
58
59	/ Get previous context (prior to last exec) of process identified by pid, and*
60	set con to refer to it. Caller must free via freecon. /
61	extern int getpidprevcon(pid_t pid, char ** con);
62	extern int getpidprevcon_raw(pid_t pid, char ** con);
63
64	/ Get exec context, and set con to refer to it.
65	Sets con to NULL if no exec context has been set, i.e. using default.*
66	If non-NULL, caller must free via freecon. /*
67	extern int getexeccon(char ** con);
68	extern int getexeccon_raw(char ** con);
69
70	/ Set exec security context for the next execve.*
71	Call with NULL if you want to reset to the default. /*
72	extern int setexeccon(const char * con);
73	extern int setexeccon_raw(const char * con);
74
75	/ Get fscreate context, and set con to refer to it.
76	Sets con to NULL if no fs create context has been set, i.e. using default.*
77	If non-NULL, caller must free via freecon. /*
78	extern int getfscreatecon(char ** con);
79	extern int getfscreatecon_raw(char ** con);
80
81	/ Set the fscreate security context for subsequent file creations.*
82	Call with NULL if you want to reset to the default. /*
83	extern int setfscreatecon(const char * context);
84	extern int setfscreatecon_raw(const char * context);
85
86	/ Get keycreate context, and set con to refer to it.
87	Sets con to NULL if no key create context has been set, i.e. using default.*
88	If non-NULL, caller must free via freecon. /*
89	extern int getkeycreatecon(char ** con);
90	extern int getkeycreatecon_raw(char ** con);
91
92	/ Set the keycreate security context for subsequent key creations.*
93	Call with NULL if you want to reset to the default. /*
94	extern int setkeycreatecon(const char * context);
95	extern int setkeycreatecon_raw(const char * context);
96
97	/ Get sockcreate context, and set con to refer to it.
98	Sets con to NULL if no socket create context has been set, i.e. using default.*
99	If non-NULL, caller must free via freecon. /*
100	extern int getsockcreatecon(char ** con);
101	extern int getsockcreatecon_raw(char ** con);
102
103	/ Set the sockcreate security context for subsequent socket creations.*
104	Call with NULL if you want to reset to the default. /*
105	extern int setsockcreatecon(const char * context);
106	extern int setsockcreatecon_raw(const char * context);
107
108	/ Wrappers for the xattr API. /
109
110	/ Get file context, and set con to refer to it.
111	Caller must free via freecon. /*
112	extern int getfilecon(const char path, char* ** con);
113	extern int getfilecon_raw(const char path, char* ** con);
114	extern int lgetfilecon(const char path, char* ** con);
115	extern int lgetfilecon_raw(const char path, char* ** con);
116	extern int fgetfilecon(int fd, char ** con);
117	extern int fgetfilecon_raw(int fd, char ** con);
118
119	/ Set file context /
120	extern int setfilecon(const char path, const* char * con);
121	extern int setfilecon_raw(const char path, const* char * con);
122	extern int lsetfilecon(const char path, const* char * con);
123	extern int lsetfilecon_raw(const char path, const* char * con);
124	extern int fsetfilecon(int fd, const char * con);
125	extern int fsetfilecon_raw(int fd, const char * con);
126
127	/ Wrappers for the socket API /
128
129	/ Get context of peer socket, and set con to refer to it.
130	Caller must free via freecon. /*
131	extern int getpeercon(int fd, char ** con);
132	extern int getpeercon_raw(int fd, char ** con);
133
134	/ Wrappers for the selinuxfs (policy) API. /
135
136	typedef unsigned int access_vector_t;
137	typedef unsigned short security_class_t;
138
139	struct av_decision {
140	access_vector_t allowed;
141	access_vector_t decided;
142	access_vector_t auditallow;
143	access_vector_t auditdeny;
144	unsigned int seqno;
145	unsigned int flags;
146	};
147
148	/ Definitions of av_decision.flags /
149	#define SELINUX_AVD_FLAGS_PERMISSIVE 0x0001
150
151	/ Structure for passing options, used by AVC and label subsystems /
152	struct selinux_opt {
153	int type;
154	const char *value;
155	};
156
157	/ Callback facilities /
158	union selinux_callback {
159	/ log the printf-style format and arguments,*
160	with the type code indicating the type of message /*
161	int
162	#ifdef __GNUC__
163	__attribute__ ((format(printf, `2`, `3`)))
164	#endif
165	(func_log) (int* type, const char *fmt, ...);
166	/ store a string representation of auditdata (corresponding*
167	to the given security class) into msgbuf. /*
168	int (func_audit) (void* *auditdata, security_class_t cls,
169	char *msgbuf, size_t msgbufsize);
170	/ validate the supplied context, modifying if necessary /
171	int (func_validate) (char* **ctx);
172	/ netlink callback for setenforce message /
173	int (func_setenforce) (int* enforcing);
174	/ netlink callback for policyload message /
175	int (func_policyload) (int* seqno);
176	};
177
178	#define SELINUX_CB_LOG 0
179	#define SELINUX_CB_AUDIT 1
180	#define SELINUX_CB_VALIDATE 2
181	#define SELINUX_CB_SETENFORCE 3
182	#define SELINUX_CB_POLICYLOAD 4
183
184	extern union selinux_callback selinux_get_callback(int type);
185	extern void selinux_set_callback(int type, union selinux_callback cb);
186
187	/ Logging type codes, passed to the logging callback /
188	#define SELINUX_ERROR 0
189	#define SELINUX_WARNING 1
190	#define SELINUX_INFO 2
191	#define SELINUX_AVC 3
192	#define SELINUX_POLICYLOAD 4
193	#define SELINUX_SETENFORCE 5
194	#define SELINUX_TRANS_DIR "/var/run/setrans"
195
196	/ Compute an access decision. /
197	extern int security_compute_av(const char * scon,
198	const char * tcon,
199	security_class_t tclass,
200	access_vector_t requested,
201	struct av_decision *avd);
202	extern int security_compute_av_raw(const char * scon,
203	const char * tcon,
204	security_class_t tclass,
205	access_vector_t requested,
206	struct av_decision *avd);
207
208	extern int security_compute_av_flags(const char * scon,
209	const char * tcon,
210	security_class_t tclass,
211	access_vector_t requested,
212	struct av_decision *avd);
213	extern int security_compute_av_flags_raw(const char * scon,
214	const char * tcon,
215	security_class_t tclass,
216	access_vector_t requested,
217	struct av_decision *avd);
218
219	/ Compute a labeling decision and set newcon to refer to it.
220	Caller must free via freecon. /*
221	extern int security_compute_create(const char * scon,
222	const char * tcon,
223	security_class_t tclass,
224	char ** newcon);
225	extern int security_compute_create_raw(const char * scon,
226	const char * tcon,
227	security_class_t tclass,
228	char ** newcon);
229	extern int security_compute_create_name(const char * scon,
230	const char * tcon,
231	security_class_t tclass,
232	const char *objname,
233	char ** newcon);
234	extern int security_compute_create_name_raw(const char * scon,
235	const char * tcon,
236	security_class_t tclass,
237	const char *objname,
238	char ** newcon);
239
240	/ Compute a relabeling decision and set newcon to refer to it.
241	Caller must free via freecon. /*
242	extern int security_compute_relabel(const char * scon,
243	const char * tcon,
244	security_class_t tclass,
245	char ** newcon);
246	extern int security_compute_relabel_raw(const char * scon,
247	const char * tcon,
248	security_class_t tclass,
249	char ** newcon);
250
251	/ Compute a polyinstantiation member decision and set newcon to refer to it.
252	Caller must free via freecon. /*
253	extern int security_compute_member(const char * scon,
254	const char * tcon,
255	security_class_t tclass,
256	char ** newcon);
257	extern int security_compute_member_raw(const char * scon,
258	const char * tcon,
259	security_class_t tclass,
260	char ** newcon);
261
262	/*
263	* Compute the set of reachable user contexts and set *con to refer to
264	* the NULL-terminated array of contexts. Caller must free via freeconary.
265	* These interfaces are deprecated. Use get_ordered_context_list() or
266	* one of its variant interfaces instead.
267	*/
268	extern int security_compute_user(const char * scon,
269	const char *username,
270	char *** con);
271	extern int security_compute_user_raw(const char * scon,
272	const char *username,
273	char *** con);
274
275	/ Validate a transition. This determines whether a transition from scon to newcon*
276	using tcon as the target for object class tclass is valid in the loaded policy.
277	This checks against the mlsvalidatetrans and validatetrans constraints in the loaded policy.
278	Returns 0 if allowed and -1 if an error occurred with errno set /*
279	extern int security_validatetrans(const char *scon,
280	const char *tcon,
281	security_class_t tclass,
282	const char *newcon);
283	extern int security_validatetrans_raw(const char *scon,
284	const char *tcon,
285	security_class_t tclass,
286	const char *newcon);
287
288	/ Load a policy configuration. /
289	extern int security_load_policy(const void *data, size_t len);
290
291	/ Get the context of an initial kernel security identifier by name.*
292	Caller must free via freecon /*
293	extern int security_get_initial_context(const char *name,
294	char ** con);
295	extern int security_get_initial_context_raw(const char *name,
296	char ** con);
297
298	/*
299	* Make a policy image and load it.
300	* This function provides a higher level interface for loading policy
301	* than security_load_policy, internally determining the right policy
302	* version, locating and opening the policy file, mapping it into memory,
303	* manipulating it as needed for current boolean settings and/or local
304	* definitions, and then calling security_load_policy to load it.
305	*
306	* 'preservebools' is no longer supported, set to 0.
307	*/
308	extern int selinux_mkload_policy(int preservebools);
309
310	/*
311	* Perform the initial policy load.
312	* This function determines the desired enforcing mode, sets the
313	* the *enforce argument accordingly for the caller to use, sets the
314	* SELinux kernel enforcing status to match it, and loads the policy.
315	* It also internally handles the initial selinuxfs mount required to
316	* perform these actions.
317	*
318	* The function returns 0 if everything including the policy load succeeds.
319	* In this case, init is expected to re-exec itself in order to transition
320	* to the proper security context.
321	* Otherwise, the function returns -1, and init must check *enforce to
322	* determine how to proceed. If enforcing (*enforce > 0), then init should
323	* halt the system. Otherwise, init may proceed normally without a re-exec.
324	*/
325	extern int selinux_init_load_policy(int *enforce);
326
327	/ Translate boolean strict to name value pair. /
328	typedef struct {
329	char *name;
330	int value;
331	} SELboolean;
332	/ save a list of booleans in a single transaction. 'permanent' is no*
333	* longer supported, set to 0.
334	*/
335	extern int security_set_boolean_list(size_t boolcnt,
336	SELboolean * boollist, int permanent);
337
338	/ Load policy boolean settings. Deprecated as local policy booleans no*
339	* longer supported. Will always return -1.
340	*/
341	extern int security_load_booleans(char *path)
342	#ifdef __GNUC__
343	__attribute__ ((deprecated))
344	#endif
345	;
346
347	/ Check the validity of a security context. /
348	extern int security_check_context(const char * con);
349	extern int security_check_context_raw(const char * con);
350
351	/ Canonicalize a security context. /
352	extern int security_canonicalize_context(const char * con,
353	char ** canoncon);
354	extern int security_canonicalize_context_raw(const char * con,
355	char ** canoncon);
356
357	/ Get the enforce flag value. /
358	extern int security_getenforce(void);
359
360	/ Set the enforce flag value. /
361	extern int security_setenforce(int value);
362
363	/ Get the load-time behavior for undefined classes/permissions /
364	extern int security_reject_unknown(void);
365
366	/ Get the runtime behavior for undefined classes/permissions /
367	extern int security_deny_unknown(void);
368
369	/ Get the checkreqprot value /
370	extern int security_get_checkreqprot(void);
371
372	/ Disable SELinux at runtime (must be done prior to initial policy load). /
373	extern int security_disable(void);
374
375	/ Get the policy version number. /
376	extern int security_policyvers(void);
377
378	/ Get the boolean names /
379	extern int security_get_boolean_names(char **names, int* *len);
380
381	/ Get the pending value for the boolean /
382	extern int security_get_boolean_pending(const char *name);
383
384	/ Get the active value for the boolean /
385	extern int security_get_boolean_active(const char *name);
386
387	/ Set the pending value for the boolean /
388	extern int security_set_boolean(const char name, int* value);
389
390	/ Commit the pending values for the booleans /
391	extern int security_commit_booleans(void);
392
393	/ Userspace class mapping support /
394	struct security_class_mapping {
395	const char *name;
396	const char perms[sizeof(access_vector_t) `8` + `1`];
397	};
398
399	/**
400	* selinux_set_mapping - Enable dynamic mapping between integer offsets and security class names
401	* @map: array of security_class_mapping structures
402	*
403	* The core avc_has_perm() API uses integers to represent security
404	* classes; previous to the introduction of this function, it was
405	* common for userspace object managers to be compiled using generated
406	* offsets for a particular policy. However, that strongly ties the build of the userspace components to a particular policy.
407	*
408	* By using this function to map between integer offsets and security
409	* class names, it's possible to replace a system policies that have
410	* at least the same set of security class names as used by the
411	* userspace object managers.
412	*
413	* To correctly use this function, you should override the generated
414	* security class defines from the system policy in a local header,
415	* starting at 1, and have one security_class_mapping structure entry
416	* per define.
417	*/
418	extern int selinux_set_mapping(struct security_class_mapping *map);
419
420	/ Common helpers /
421
422	/ Convert between mode and security class values /
423	extern security_class_t mode_to_security_class(mode_t mode);
424	/ Convert between security class values and string names /
425	extern security_class_t string_to_security_class(const char *name);
426	extern const char *security_class_to_string(security_class_t cls);
427
428	/ Convert between individual access vector permissions and string names /
429	extern const char *security_av_perm_to_string(security_class_t tclass,
430	access_vector_t perm);
431	extern access_vector_t string_to_av_perm(security_class_t tclass,
432	const char *name);
433
434	/ Returns an access vector in a string representation. User must free the*
435	* returned string via free(). */
436	extern int security_av_string(security_class_t tclass,
437	access_vector_t av, char **result);
438
439	/ Display an access vector in a string representation. /
440	extern void print_access_vector(security_class_t tclass, access_vector_t av);
441
442	/ Flush the SELinux class cache, e.g. upon a policy reload. /
443	extern void selinux_flush_class_cache(void);
444
445	/ Set the function used by matchpathcon_init when displaying*
446	errors about the file_contexts configuration. If not set,
447	then this defaults to fprintf(stderr, fmt, ...). /*
448	extern void set_matchpathcon_printf(void (f) (const* char *fmt, ...));
449
450	/ Set the function used by matchpathcon_init when checking the*
451	validity of a context in the file contexts configuration. If not set,
452	then this defaults to a test based on security_check_context().
453	The function is also responsible for reporting any such error, and
454	may include the 'path' and 'lineno' in such error messages. /*
455	extern void set_matchpathcon_invalidcon(int (f) (const* char *path,
456	unsigned lineno,
457	char *context));
458
459	/ Same as above, but also allows canonicalization of the context,*
460	by changing context to refer to the canonical form. If not set,*
461	and invalidcon is also not set, then this defaults to calling
462	security_canonicalize_context(). /*
463	extern void set_matchpathcon_canoncon(int (f) (const* char *path,
464	unsigned lineno,
465	char **context));
466
467	/ Set flags controlling operation of matchpathcon_init or matchpathcon. /
468	#define MATCHPATHCON_BASEONLY 1 /* Only process the base file_contexts file. */
469	#define MATCHPATHCON_NOTRANS 2 /* Do not perform any context translation. */
470	#define MATCHPATHCON_VALIDATE 4 /* Validate/canonicalize contexts at init time. */
471	extern void set_matchpathcon_flags(unsigned int flags);
472
473	/ Load the file contexts configuration specified by 'path'*
474	into memory for use by subsequent matchpathcon calls.
475	If 'path' is NULL, then load the active file contexts configuration,
476	i.e. the path returned by selinux_file_context_path().
477	Unless the MATCHPATHCON_BASEONLY flag has been set, this
478	function also checks for a 'path'.homedirs file and
479	a 'path'.local file and loads additional specifications
480	from them if present. /*
481	extern int matchpathcon_init(const char *path)
482	#ifdef __GNUC__
483	__attribute__ ((deprecated("Use selabel_open with backend SELABEL_CTX_FILE")))
484	#endif
485	;
486
487	/ Same as matchpathcon_init, but only load entries with*
488	regexes that have stems that are prefixes of 'prefix'. /*
489	extern int matchpathcon_init_prefix(const char path, const* char *prefix);
490
491	/ Free the memory allocated by matchpathcon_init. /
492	extern void matchpathcon_fini(void)
493	#ifdef __GNUC__
494	__attribute__ ((deprecated("Use selabel_close")))
495	#endif
496	;
497
498	/ Resolve all of the symlinks and relative portions of a pathname, but NOT*
499	* the final component (same a realpath() unless the final component is a
500	* symlink. Resolved path must be a path of size PATH_MAX + 1 */
501	extern int realpath_not_final(const char name, char* *resolved_path);
502
503	/ Match the specified pathname and mode against the file contexts*
504	configuration and set con to refer to the resulting context.*
505	'mode' can be 0 to disable mode matching.
506	Caller must free via freecon.
507	If matchpathcon_init has not already been called, then this function
508	will call it upon its first invocation with a NULL path. /*
509	extern int matchpathcon(const char *path,
510	mode_t mode, char ** con)
511	#ifdef __GNUC__
512	__attribute__ ((deprecated("Use selabel_lookup instead")))
513	#endif
514	;
515
516	/ Same as above, but return a specification index for*
517	later use in a matchpathcon_filespec_add() call - see below. /*
518	extern int matchpathcon_index(const char *path,
519	mode_t mode, char ** con);
520
521	/ Maintain an association between an inode and a specification index,*
522	and check whether a conflicting specification is already associated
523	with the same inode (e.g. due to multiple hard links). If so, then
524	use the latter of the two specifications based on their order in the
525	file contexts configuration. Return the used specification index. /*
526	#if defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64 && __BITS_PER_LONG < 64
527	#define matchpathcon_filespec_add matchpathcon_filespec_add64
528	#endif
529	extern int matchpathcon_filespec_add(ino_t ino, int specind, const char *file);
530
531	/ Destroy any inode associations that have been added, e.g. to restart*
532	for a new filesystem. /*
533	extern void matchpathcon_filespec_destroy(void);
534
535	/ Display statistics on the hash table usage for the associations. /
536	extern void matchpathcon_filespec_eval(void);
537
538	/ Check to see whether any specifications had no matches and report them.*
539	The 'str' is used as a prefix for any warning messages. /*
540	extern void matchpathcon_checkmatches(char *str);
541
542	/ Match the specified media and against the media contexts*
543	configuration and set con to refer to the resulting context.*
544	Caller must free con via freecon. /*
545	extern int matchmediacon(const char media, char* ** con);
546
547	/*
548	selinux_getenforcemode reads the /etc/selinux/config file and determines
549	whether the machine should be started in enforcing (1), permissive (0) or
550	disabled (-1) mode.
551	*/
552	extern int selinux_getenforcemode(int *enforce);
553
554	/*
555	selinux_boolean_sub reads the /etc/selinux/TYPE/booleans.subs_dist file
556	looking for a record with boolean_name. If a record exists selinux_boolean_sub
557	returns the translated name otherwise it returns the original name.
558	The returned value needs to be freed. On failure NULL will be returned.
559	*/
560	extern char selinux_boolean_sub(const* char *boolean_name);
561
562	/*
563	selinux_getpolicytype reads the /etc/selinux/config file and determines
564	what the default policy for the machine is. Calling application must
565	free policytype.
566	*/
567	extern int selinux_getpolicytype(char **policytype);
568
569	/*
570	selinux_policy_root reads the /etc/selinux/config file and returns
571	the directory path under which the compiled policy file and context
572	configuration files exist.
573	*/
574	extern const char selinux_policy_root(void*);
575
576	/*
577	selinux_set_policy_root sets an alternate policy root directory path under
578	which the compiled policy file and context configuration files exist.
579	*/
580	extern int selinux_set_policy_root(const char *rootpath);
581
582	/ These functions return the paths to specific files under the*
583	policy root directory. /*
584	extern const char selinux_current_policy_path(void*);
585	extern const char selinux_binary_policy_path(void*);
586	extern const char selinux_failsafe_context_path(void*);
587	extern const char selinux_removable_context_path(void*);
588	extern const char selinux_default_context_path(void*);
589	extern const char selinux_user_contexts_path(void*);
590	extern const char selinux_file_context_path(void*);
591	extern const char selinux_file_context_homedir_path(void*);
592	extern const char selinux_file_context_local_path(void*);
593	extern const char selinux_file_context_subs_path(void*);
594	extern const char selinux_file_context_subs_dist_path(void*);
595	extern const char selinux_homedir_context_path(void*);
596	extern const char selinux_media_context_path(void*);
597	extern const char selinux_virtual_domain_context_path(void*);
598	extern const char selinux_virtual_image_context_path(void*);
599	extern const char selinux_lxc_contexts_path(void*);
600	extern const char selinux_x_context_path(void*);
601	extern const char selinux_sepgsql_context_path(void*);
602	extern const char selinux_openrc_contexts_path(void*);
603	extern const char selinux_openssh_contexts_path(void*);
604	extern const char selinux_snapperd_contexts_path(void*);
605	extern const char selinux_systemd_contexts_path(void*);
606	extern const char selinux_contexts_path(void*);
607	extern const char selinux_securetty_types_path(void*);
608	extern const char selinux_booleans_subs_path(void*);
609	/ Deprecated as local policy booleans no longer supported. /
610	extern const char selinux_booleans_path(void*)
611	#ifdef __GNUC__
612	__attribute__ ((deprecated))
613	#endif
614	;
615	extern const char selinux_customizable_types_path(void*);
616	/ Deprecated as policy ./users no longer supported. /
617	extern const char selinux_users_path(void*)
618	#ifdef __GNUC__
619	__attribute__ ((deprecated))
620	#endif
621	;
622	extern const char selinux_usersconf_path(void*);
623	extern const char selinux_translations_path(void*);
624	extern const char selinux_colors_path(void*);
625	extern const char selinux_netfilter_context_path(void*);
626	extern const char selinux_path(void*);
627
628	/**
629	* selinux_check_access - Check permissions and perform appropriate auditing.
630	* @scon: source security context
631	* @tcon: target security context
632	* @tclass: target security class string
633	* @perm: requested permissions string, interpreted based on @tclass
634	* @auditdata: auxiliary audit data
635	*
636	* Check the AVC to determine whether the @perm permissions are granted
637	* for the SID pair (@scon, @tcon), interpreting the permissions
638	* based on @tclass.
639	* Return %0 if all @perm permissions are granted, -%1 with
640	* @errno set to %EACCES if any permissions are denied or to another
641	* value upon other errors.
642	* If auditing or logging is configured the appropriate callbacks will be called
643	* and passed the auditdata field
644	*/
645	extern int selinux_check_access(const char * scon, const char * tcon, const char tclass, const* char perm, void* *auditdata);
646
647	/ Check a permission in the passwd class.*
648	Return 0 if granted or -1 otherwise. /*
649	extern int selinux_check_passwd_access(access_vector_t requested)
650	#ifdef __GNUC__
651	__attribute__ ((deprecated("Use selinux_check_access")))
652	#endif
653	;
654
655	extern int checkPasswdAccess(access_vector_t requested)
656	#ifdef __GNUC__
657	__attribute__ ((deprecated("Use selinux_check_access")))
658	#endif
659	;
660
661	/ Check if the tty_context is defined as a securetty*
662	Return 0 if secure, < 0 otherwise. /*
663	extern int selinux_check_securetty_context(const char * tty_context);
664
665	/ Set the path to the selinuxfs mount point explicitly.*
666	Normally, this is determined automatically during libselinux
667	initialization, but this is not always possible, e.g. for /sbin/init
668	which performs the initial mount of selinuxfs. /*
669	extern void set_selinuxmnt(const char *mnt);
670
671	/ Check if selinuxfs exists as a kernel filesystem /
672	extern int selinuxfs_exists(void);
673
674	/ clear selinuxmnt variable and free allocated memory /
675	extern void fini_selinuxmnt(void);
676
677	/ Set an appropriate security context based on the filename of a helper*
678	* program, falling back to a new context with the specified type. */
679	extern int setexecfilecon(const char filename, const* char *fallback_type);
680
681	#ifndef DISABLE_RPM
682	/ Execute a helper for rpm in an appropriate security context. /
683	extern int rpm_execcon(unsigned int verified,
684	const char *filename,
685	char *const argv[], char *const envp[])
686	#ifdef __GNUC__
687	__attribute__((deprecated("Use setexecfilecon and execve")))
688	#endif
689	;
690	#endif
691
692	/ Returns whether a file context is customizable, and should not*
693	be relabeled . /*
694	extern int is_context_customizable(const char * scontext);
695
696	/ Perform context translation between the human-readable format*
697	("translated") and the internal system format ("raw").
698	Caller must free the resulting context via freecon.
699	Returns -1 upon an error or 0 otherwise.
700	If passed NULL, sets the returned context to NULL and returns 0. /*
701	extern int selinux_trans_to_raw_context(const char * trans,
702	char ** rawp);
703	extern int selinux_raw_to_trans_context(const char * raw,
704	char ** transp);
705
706	/ Perform context translation between security contexts*
707	and display colors. Returns a space-separated list of ten
708	ten hex RGB triples prefixed by hash marks, e.g. "#ff0000".
709	Caller must free the resulting string via free.
710	Returns -1 upon an error or 0 otherwise. /*
711	extern int selinux_raw_context_to_color(const char * raw,
712	char **color_str);
713
714	/ Get the SELinux username and level to use for a given Linux username.*
715	These values may then be passed into the get_ordered_context_list*
716	and get_default_context functions to obtain a context for the user.*
717	Returns 0 on success or -1 otherwise.
718	Caller must free the returned strings via free. /*
719	extern int getseuserbyname(const char linuxuser, char* *seuser, char* **level);
720
721	/ Get the SELinux username and level to use for a given Linux username and service.*
722	These values may then be passed into the get_ordered_context_list*
723	and get_default_context functions to obtain a context for the user.*
724	Returns 0 on success or -1 otherwise.
725	Caller must free the returned strings via free. /*
726	extern int getseuser(const char username, const* char *service,
727	char *r_seuser, char* **r_level);
728
729	/ Compare two file contexts, return 0 if equivalent. /
730	extern int selinux_file_context_cmp(const char * a,
731	const char * b);
732
733	/*
734	* Verify the context of the file 'path' against policy.
735	* Return 1 if match, 0 if not and -1 on error.
736	*/
737	extern int selinux_file_context_verify(const char *path, mode_t mode);
738
739	/ This function sets the file context on to the system defaults returns 0 on success /
740	extern int selinux_lsetfilecon_default(const char *path);
741
742	/*
743	* Force a reset of the loaded configuration
744	* WARNING: This is not thread safe. Be very sure that no other threads
745	* are calling into libselinux when this is called.
746	*/
747	extern void selinux_reset_config(void);
748
749	#ifdef __cplusplus
750	}
751	#endif
752	#endif
753

source code of include/selinux/selinux.h