selinux.h source code [include/selinux/selinux.h]

1	#ifndef _SELINUX_H_
2	#define _SELINUX_H_
3
4	#include <sys/types.h>
5	#include <stdarg.h>
6
7	#ifdef __cplusplus
8	extern "C" {
9	#endif
10
11	/ Return 1 if we are running on a SELinux kernel, or 0 otherwise. /
12	extern int is_selinux_enabled(void);
13	/ Return 1 if we are running on a SELinux MLS kernel, or 0 otherwise. /
14	extern int is_selinux_mls_enabled(void);
15
16	/ No longer used; here for compatibility with legacy callers. /
17	typedef char *security_context_t
18	#ifdef __GNUC__
19	__attribute__ ((deprecated))
20	#endif
21	;
22
23	/ Free the memory allocated for a context by any of the below get* calls. /
24	extern void freecon(char * con);
25
26	/ Free the memory allocated for a context array by security_compute_user. /
27	extern void freeconary(char ** con);
28
29	/ Wrappers for the /proc/pid/attr API. /
30
31	/ Get current context, and set con to refer to it.
32	Caller must free via freecon. /*
33	extern int getcon(char ** con);
34	extern int getcon_raw(char ** con);
35
36	/ Set the current security context to con.*
37	Note that use of this function requires that the entire application
38	be trusted to maintain any desired separation between the old and new
39	security contexts, unlike exec-based transitions performed via setexeccon.
40	When possible, decompose your application and use setexeccon()+execve()
41	instead. Note that the application may lose access to its open descriptors
42	as a result of a setcon() unless policy allows it to use descriptors opened
43	by the old context. /*
44	extern int setcon(const char * con);
45	extern int setcon_raw(const char * con);
46
47	/ Get context of process identified by pid, and*
48	set con to refer to it. Caller must free via freecon. /
49	extern int getpidcon(pid_t pid, char ** con);
50	extern int getpidcon_raw(pid_t pid, char ** con);
51
52	/ Get previous context (prior to last exec), and set con to refer to it.
53	Caller must free via freecon. /*
54	extern int getprevcon(char ** con);
55	extern int getprevcon_raw(char ** con);
56
57	/ Get exec context, and set con to refer to it.
58	Sets con to NULL if no exec context has been set, i.e. using default.*
59	If non-NULL, caller must free via freecon. /*
60	extern int getexeccon(char ** con);
61	extern int getexeccon_raw(char ** con);
62
63	/ Set exec security context for the next execve.*
64	Call with NULL if you want to reset to the default. /*
65	extern int setexeccon(const char * con);
66	extern int setexeccon_raw(const char * con);
67
68	/ Get fscreate context, and set con to refer to it.
69	Sets con to NULL if no fs create context has been set, i.e. using default.*
70	If non-NULL, caller must free via freecon. /*
71	extern int getfscreatecon(char ** con);
72	extern int getfscreatecon_raw(char ** con);
73
74	/ Set the fscreate security context for subsequent file creations.*
75	Call with NULL if you want to reset to the default. /*
76	extern int setfscreatecon(const char * context);
77	extern int setfscreatecon_raw(const char * context);
78
79	/ Get keycreate context, and set con to refer to it.
80	Sets con to NULL if no key create context has been set, i.e. using default.*
81	If non-NULL, caller must free via freecon. /*
82	extern int getkeycreatecon(char ** con);
83	extern int getkeycreatecon_raw(char ** con);
84
85	/ Set the keycreate security context for subsequent key creations.*
86	Call with NULL if you want to reset to the default. /*
87	extern int setkeycreatecon(const char * context);
88	extern int setkeycreatecon_raw(const char * context);
89
90	/ Get sockcreate context, and set con to refer to it.
91	Sets con to NULL if no socket create context has been set, i.e. using default.*
92	If non-NULL, caller must free via freecon. /*
93	extern int getsockcreatecon(char ** con);
94	extern int getsockcreatecon_raw(char ** con);
95
96	/ Set the sockcreate security context for subsequent socket creations.*
97	Call with NULL if you want to reset to the default. /*
98	extern int setsockcreatecon(const char * context);
99	extern int setsockcreatecon_raw(const char * context);
100
101	/ Wrappers for the xattr API. /
102
103	/ Get file context, and set con to refer to it.
104	Caller must free via freecon. /*
105	extern int getfilecon(const char path, char* ** con);
106	extern int getfilecon_raw(const char path, char* ** con);
107	extern int lgetfilecon(const char path, char* ** con);
108	extern int lgetfilecon_raw(const char path, char* ** con);
109	extern int fgetfilecon(int fd, char ** con);
110	extern int fgetfilecon_raw(int fd, char ** con);
111
112	/ Set file context /
113	extern int setfilecon(const char path, const* char * con);
114	extern int setfilecon_raw(const char path, const* char * con);
115	extern int lsetfilecon(const char path, const* char * con);
116	extern int lsetfilecon_raw(const char path, const* char * con);
117	extern int fsetfilecon(int fd, const char * con);
118	extern int fsetfilecon_raw(int fd, const char * con);
119
120	/ Wrappers for the socket API /
121
122	/ Get context of peer socket, and set con to refer to it.
123	Caller must free via freecon. /*
124	extern int getpeercon(int fd, char ** con);
125	extern int getpeercon_raw(int fd, char ** con);
126
127	/ Wrappers for the selinuxfs (policy) API. /
128
129	typedef unsigned int access_vector_t;
130	typedef unsigned short security_class_t;
131
132	struct av_decision {
133	access_vector_t allowed;
134	access_vector_t decided;
135	access_vector_t auditallow;
136	access_vector_t auditdeny;
137	unsigned int seqno;
138	unsigned int flags;
139	};
140
141	/ Definitions of av_decision.flags /
142	#define SELINUX_AVD_FLAGS_PERMISSIVE 0x0001
143
144	/ Structure for passing options, used by AVC and label subsystems /
145	struct selinux_opt {
146	int type;
147	const char *value;
148	};
149
150	/ Callback facilities /
151	union selinux_callback {
152	/ log the printf-style format and arguments,*
153	with the type code indicating the type of message /*
154	int
155	#ifdef __GNUC__
156	__attribute__ ((format(printf, `2`, `3`)))
157	#endif
158	(func_log) (int* type, const char *fmt, ...);
159	/ store a string representation of auditdata (corresponding*
160	to the given security class) into msgbuf. /*
161	int (func_audit) (void* *auditdata, security_class_t cls,
162	char *msgbuf, size_t msgbufsize);
163	/ validate the supplied context, modifying if necessary /
164	int (func_validate) (char* **ctx);
165	/ netlink callback for setenforce message /
166	int (func_setenforce) (int* enforcing);
167	/ netlink callback for policyload message /
168	int (func_policyload) (int* seqno);
169	};
170
171	#define SELINUX_CB_LOG 0
172	#define SELINUX_CB_AUDIT 1
173	#define SELINUX_CB_VALIDATE 2
174	#define SELINUX_CB_SETENFORCE 3
175	#define SELINUX_CB_POLICYLOAD 4
176
177	extern union selinux_callback selinux_get_callback(int type);
178	extern void selinux_set_callback(int type, union selinux_callback cb);
179
180	/ Logging type codes, passed to the logging callback /
181	#define SELINUX_ERROR 0
182	#define SELINUX_WARNING 1
183	#define SELINUX_INFO 2
184	#define SELINUX_AVC 3
185	#define SELINUX_POLICYLOAD 4
186	#define SELINUX_SETENFORCE 5
187	#define SELINUX_TRANS_DIR "/var/run/setrans"
188
189	/ Compute an access decision. /
190	extern int security_compute_av(const char * scon,
191	const char * tcon,
192	security_class_t tclass,
193	access_vector_t requested,
194	struct av_decision *avd);
195	extern int security_compute_av_raw(const char * scon,
196	const char * tcon,
197	security_class_t tclass,
198	access_vector_t requested,
199	struct av_decision *avd);
200
201	extern int security_compute_av_flags(const char * scon,
202	const char * tcon,
203	security_class_t tclass,
204	access_vector_t requested,
205	struct av_decision *avd);
206	extern int security_compute_av_flags_raw(const char * scon,
207	const char * tcon,
208	security_class_t tclass,
209	access_vector_t requested,
210	struct av_decision *avd);
211
212	/ Compute a labeling decision and set newcon to refer to it.
213	Caller must free via freecon. /*
214	extern int security_compute_create(const char * scon,
215	const char * tcon,
216	security_class_t tclass,
217	char ** newcon);
218	extern int security_compute_create_raw(const char * scon,
219	const char * tcon,
220	security_class_t tclass,
221	char ** newcon);
222	extern int security_compute_create_name(const char * scon,
223	const char * tcon,
224	security_class_t tclass,
225	const char *objname,
226	char ** newcon);
227	extern int security_compute_create_name_raw(const char * scon,
228	const char * tcon,
229	security_class_t tclass,
230	const char *objname,
231	char ** newcon);
232
233	/ Compute a relabeling decision and set newcon to refer to it.
234	Caller must free via freecon. /*
235	extern int security_compute_relabel(const char * scon,
236	const char * tcon,
237	security_class_t tclass,
238	char ** newcon);
239	extern int security_compute_relabel_raw(const char * scon,
240	const char * tcon,
241	security_class_t tclass,
242	char ** newcon);
243
244	/ Compute a polyinstantiation member decision and set newcon to refer to it.
245	Caller must free via freecon. /*
246	extern int security_compute_member(const char * scon,
247	const char * tcon,
248	security_class_t tclass,
249	char ** newcon);
250	extern int security_compute_member_raw(const char * scon,
251	const char * tcon,
252	security_class_t tclass,
253	char ** newcon);
254
255	/*
256	* Compute the set of reachable user contexts and set *con to refer to
257	* the NULL-terminated array of contexts. Caller must free via freeconary.
258	* These interfaces are deprecated. Use get_ordered_context_list() or
259	* one of its variant interfaces instead.
260	*/
261	extern int security_compute_user(const char * scon,
262	const char *username,
263	char *** con);
264	extern int security_compute_user_raw(const char * scon,
265	const char *username,
266	char *** con);
267
268	/ Validate a transition. This determines whether a transition from scon to newcon*
269	using tcon as the target for object class tclass is valid in the loaded policy.
270	This checks against the mlsvalidatetrans and validatetrans constraints in the loaded policy.
271	Returns 0 if allowed and -1 if an error occurred with errno set /*
272	extern int security_validatetrans(const char *scon,
273	const char *tcon,
274	security_class_t tclass,
275	const char *newcon);
276	extern int security_validatetrans_raw(const char *scon,
277	const char *tcon,
278	security_class_t tclass,
279	const char *newcon);
280
281	/ Load a policy configuration. /
282	extern int security_load_policy(void *data, size_t len);
283
284	/ Get the context of an initial kernel security identifier by name.*
285	Caller must free via freecon /*
286	extern int security_get_initial_context(const char *name,
287	char ** con);
288	extern int security_get_initial_context_raw(const char *name,
289	char ** con);
290
291	/*
292	* Make a policy image and load it.
293	* This function provides a higher level interface for loading policy
294	* than security_load_policy, internally determining the right policy
295	* version, locating and opening the policy file, mapping it into memory,
296	* manipulating it as needed for current boolean settings and/or local
297	* definitions, and then calling security_load_policy to load it.
298	*
299	* 'preservebools' is no longer supported, set to 0.
300	*/
301	extern int selinux_mkload_policy(int preservebools);
302
303	/*
304	* Perform the initial policy load.
305	* This function determines the desired enforcing mode, sets the
306	* the *enforce argument accordingly for the caller to use, sets the
307	* SELinux kernel enforcing status to match it, and loads the policy.
308	* It also internally handles the initial selinuxfs mount required to
309	* perform these actions.
310	*
311	* The function returns 0 if everything including the policy load succeeds.
312	* In this case, init is expected to re-exec itself in order to transition
313	* to the proper security context.
314	* Otherwise, the function returns -1, and init must check *enforce to
315	* determine how to proceed. If enforcing (*enforce > 0), then init should
316	* halt the system. Otherwise, init may proceed normally without a re-exec.
317	*/
318	extern int selinux_init_load_policy(int *enforce);
319
320	/ Translate boolean strict to name value pair. /
321	typedef struct {
322	char *name;
323	int value;
324	} SELboolean;
325	/ save a list of booleans in a single transaction. 'permanent' is no*
326	* longer supported, set to 0.
327	*/
328	extern int security_set_boolean_list(size_t boolcnt,
329	SELboolean * boollist, int permanent);
330
331	/ Load policy boolean settings. Deprecated as local policy booleans no*
332	* longer supported. Will always return -1.
333	*/
334	extern int security_load_booleans(char *path)
335	#ifdef __GNUC__
336	__attribute__ ((deprecated))
337	#endif
338	;
339
340	/ Check the validity of a security context. /
341	extern int security_check_context(const char * con);
342	extern int security_check_context_raw(const char * con);
343
344	/ Canonicalize a security context. /
345	extern int security_canonicalize_context(const char * con,
346	char ** canoncon);
347	extern int security_canonicalize_context_raw(const char * con,
348	char ** canoncon);
349
350	/ Get the enforce flag value. /
351	extern int security_getenforce(void);
352
353	/ Set the enforce flag value. /
354	extern int security_setenforce(int value);
355
356	/ Get the load-time behavior for undefined classes/permissions /
357	extern int security_reject_unknown(void);
358
359	/ Get the runtime behavior for undefined classes/permissions /
360	extern int security_deny_unknown(void);
361
362	/ Get the checkreqprot value /
363	extern int security_get_checkreqprot(void);
364
365	/ Disable SELinux at runtime (must be done prior to initial policy load). /
366	extern int security_disable(void);
367
368	/ Get the policy version number. /
369	extern int security_policyvers(void);
370
371	/ Get the boolean names /
372	extern int security_get_boolean_names(char **names, int* *len);
373
374	/ Get the pending value for the boolean /
375	extern int security_get_boolean_pending(const char *name);
376
377	/ Get the active value for the boolean /
378	extern int security_get_boolean_active(const char *name);
379
380	/ Set the pending value for the boolean /
381	extern int security_set_boolean(const char name, int* value);
382
383	/ Commit the pending values for the booleans /
384	extern int security_commit_booleans(void);
385
386	/ Userspace class mapping support /
387	struct security_class_mapping {
388	const char *name;
389	const char perms[sizeof(access_vector_t) `8` + `1`];
390	};
391
392	/**
393	* selinux_set_mapping - Enable dynamic mapping between integer offsets and security class names
394	* @map: array of security_class_mapping structures
395	*
396	* The core avc_has_perm() API uses integers to represent security
397	* classes; previous to the introduction of this function, it was
398	* common for userspace object managers to be compiled using generated
399	* offsets for a particular policy. However, that strongly ties the build of the userspace components to a particular policy.
400	*
401	* By using this function to map between integer offsets and security
402	* class names, it's possible to replace a system policies that have
403	* at least the same set of security class names as used by the
404	* userspace object managers.
405	*
406	* To correctly use this function, you should override the generated
407	* security class defines from the system policy in a local header,
408	* starting at 1, and have one security_class_mapping structure entry
409	* per define.
410	*/
411	extern int selinux_set_mapping(struct security_class_mapping *map);
412
413	/ Common helpers /
414
415	/ Convert between mode and security class values /
416	extern security_class_t mode_to_security_class(mode_t mode);
417	/ Convert between security class values and string names /
418	extern security_class_t string_to_security_class(const char *name);
419	extern const char *security_class_to_string(security_class_t cls);
420
421	/ Convert between individual access vector permissions and string names /
422	extern const char *security_av_perm_to_string(security_class_t tclass,
423	access_vector_t perm);
424	extern access_vector_t string_to_av_perm(security_class_t tclass,
425	const char *name);
426
427	/ Returns an access vector in a string representation. User must free the*
428	* returned string via free(). */
429	extern int security_av_string(security_class_t tclass,
430	access_vector_t av, char **result);
431
432	/ Display an access vector in a string representation. /
433	extern void print_access_vector(security_class_t tclass, access_vector_t av);
434
435	/ Flush the SELinux class cache, e.g. upon a policy reload. /
436	extern void selinux_flush_class_cache(void);
437
438	/ Set the function used by matchpathcon_init when displaying*
439	errors about the file_contexts configuration. If not set,
440	then this defaults to fprintf(stderr, fmt, ...). /*
441	extern void set_matchpathcon_printf(void (f) (const* char *fmt, ...));
442
443	/ Set the function used by matchpathcon_init when checking the*
444	validity of a context in the file contexts configuration. If not set,
445	then this defaults to a test based on security_check_context().
446	The function is also responsible for reporting any such error, and
447	may include the 'path' and 'lineno' in such error messages. /*
448	extern void set_matchpathcon_invalidcon(int (f) (const* char *path,
449	unsigned lineno,
450	char *context));
451
452	/ Same as above, but also allows canonicalization of the context,*
453	by changing context to refer to the canonical form. If not set,*
454	and invalidcon is also not set, then this defaults to calling
455	security_canonicalize_context(). /*
456	extern void set_matchpathcon_canoncon(int (f) (const* char *path,
457	unsigned lineno,
458	char **context));
459
460	/ Set flags controlling operation of matchpathcon_init or matchpathcon. /
461	#define MATCHPATHCON_BASEONLY 1 /* Only process the base file_contexts file. */
462	#define MATCHPATHCON_NOTRANS 2 /* Do not perform any context translation. */
463	#define MATCHPATHCON_VALIDATE 4 /* Validate/canonicalize contexts at init time. */
464	extern void set_matchpathcon_flags(unsigned int flags);
465
466	/ Load the file contexts configuration specified by 'path'*
467	into memory for use by subsequent matchpathcon calls.
468	If 'path' is NULL, then load the active file contexts configuration,
469	i.e. the path returned by selinux_file_context_path().
470	Unless the MATCHPATHCON_BASEONLY flag has been set, this
471	function also checks for a 'path'.homedirs file and
472	a 'path'.local file and loads additional specifications
473	from them if present. /*
474	extern int matchpathcon_init(const char *path)
475	#ifdef __GNUC__
476	__attribute__ ((deprecated("Use selabel_open with backend SELABEL_CTX_FILE")))
477	#endif
478	;
479
480	/ Same as matchpathcon_init, but only load entries with*
481	regexes that have stems that are prefixes of 'prefix'. /*
482	extern int matchpathcon_init_prefix(const char path, const* char *prefix);
483
484	/ Free the memory allocated by matchpathcon_init. /
485	extern void matchpathcon_fini(void)
486	#ifdef __GNUC__
487	__attribute__ ((deprecated("Use selabel_close")))
488	#endif
489	;
490
491	/ Resolve all of the symlinks and relative portions of a pathname, but NOT*
492	* the final component (same a realpath() unless the final component is a
493	* symlink. Resolved path must be a path of size PATH_MAX + 1 */
494	extern int realpath_not_final(const char name, char* *resolved_path);
495
496	/ Match the specified pathname and mode against the file contexts*
497	configuration and set con to refer to the resulting context.*
498	'mode' can be 0 to disable mode matching.
499	Caller must free via freecon.
500	If matchpathcon_init has not already been called, then this function
501	will call it upon its first invocation with a NULL path. /*
502	extern int matchpathcon(const char *path,
503	mode_t mode, char ** con)
504	#ifdef __GNUC__
505	__attribute__ ((deprecated("Use selabel_lookup instead")))
506	#endif
507	;
508
509	/ Same as above, but return a specification index for*
510	later use in a matchpathcon_filespec_add() call - see below. /*
511	extern int matchpathcon_index(const char *path,
512	mode_t mode, char ** con);
513
514	/ Maintain an association between an inode and a specification index,*
515	and check whether a conflicting specification is already associated
516	with the same inode (e.g. due to multiple hard links). If so, then
517	use the latter of the two specifications based on their order in the
518	file contexts configuration. Return the used specification index. /*
519	extern int matchpathcon_filespec_add(ino_t ino, int specind, const char *file);
520
521	/ Destroy any inode associations that have been added, e.g. to restart*
522	for a new filesystem. /*
523	extern void matchpathcon_filespec_destroy(void);
524
525	/ Display statistics on the hash table usage for the associations. /
526	extern void matchpathcon_filespec_eval(void);
527
528	/ Check to see whether any specifications had no matches and report them.*
529	The 'str' is used as a prefix for any warning messages. /*
530	extern void matchpathcon_checkmatches(char *str);
531
532	/ Match the specified media and against the media contexts*
533	configuration and set con to refer to the resulting context.*
534	Caller must free con via freecon. /*
535	extern int matchmediacon(const char media, char* ** con);
536
537	/*
538	selinux_getenforcemode reads the /etc/selinux/config file and determines
539	whether the machine should be started in enforcing (1), permissive (0) or
540	disabled (-1) mode.
541	*/
542	extern int selinux_getenforcemode(int *enforce);
543
544	/*
545	selinux_boolean_sub reads the /etc/selinux/TYPE/booleans.subs_dist file
546	looking for a record with boolean_name. If a record exists selinux_boolean_sub
547	returns the translated name otherwise it returns the original name.
548	The returned value needs to be freed. On failure NULL will be returned.
549	*/
550	extern char selinux_boolean_sub(const* char *boolean_name);
551
552	/*
553	selinux_getpolicytype reads the /etc/selinux/config file and determines
554	what the default policy for the machine is. Calling application must
555	free policytype.
556	*/
557	extern int selinux_getpolicytype(char **policytype);
558
559	/*
560	selinux_policy_root reads the /etc/selinux/config file and returns
561	the directory path under which the compiled policy file and context
562	configuration files exist.
563	*/
564	extern const char selinux_policy_root(void*);
565
566	/*
567	selinux_set_policy_root sets an alternate policy root directory path under
568	which the compiled policy file and context configuration files exist.
569	*/
570	extern int selinux_set_policy_root(const char *rootpath);
571
572	/ These functions return the paths to specific files under the*
573	policy root directory. /*
574	extern const char selinux_current_policy_path(void*);
575	extern const char selinux_binary_policy_path(void*);
576	extern const char selinux_failsafe_context_path(void*);
577	extern const char selinux_removable_context_path(void*);
578	extern const char selinux_default_context_path(void*);
579	extern const char selinux_user_contexts_path(void*);
580	extern const char selinux_file_context_path(void*);
581	extern const char selinux_file_context_homedir_path(void*);
582	extern const char selinux_file_context_local_path(void*);
583	extern const char selinux_file_context_subs_path(void*);
584	extern const char selinux_file_context_subs_dist_path(void*);
585	extern const char selinux_homedir_context_path(void*);
586	extern const char selinux_media_context_path(void*);
587	extern const char selinux_virtual_domain_context_path(void*);
588	extern const char selinux_virtual_image_context_path(void*);
589	extern const char selinux_lxc_contexts_path(void*);
590	extern const char selinux_x_context_path(void*);
591	extern const char selinux_sepgsql_context_path(void*);
592	extern const char selinux_openrc_contexts_path(void*);
593	extern const char selinux_openssh_contexts_path(void*);
594	extern const char selinux_snapperd_contexts_path(void*);
595	extern const char selinux_systemd_contexts_path(void*);
596	extern const char selinux_contexts_path(void*);
597	extern const char selinux_securetty_types_path(void*);
598	extern const char selinux_booleans_subs_path(void*);
599	/ Deprecated as local policy booleans no longer supported. /
600	extern const char selinux_booleans_path(void*)
601	#ifdef __GNUC__
602	__attribute__ ((deprecated))
603	#endif
604	;
605	extern const char selinux_customizable_types_path(void*);
606	/ Deprecated as policy ./users no longer supported. /
607	extern const char selinux_users_path(void*)
608	#ifdef __GNUC__
609	__attribute__ ((deprecated))
610	#endif
611	;
612	extern const char selinux_usersconf_path(void*);
613	extern const char selinux_translations_path(void*);
614	extern const char selinux_colors_path(void*);
615	extern const char selinux_netfilter_context_path(void*);
616	extern const char selinux_path(void*);
617
618	/**
619	* selinux_check_access - Check permissions and perform appropriate auditing.
620	* @scon: source security context
621	* @tcon: target security context
622	* @tclass: target security class string
623	* @perm: requested permissions string, interpreted based on @tclass
624	* @auditdata: auxiliary audit data
625	*
626	* Check the AVC to determine whether the @perm permissions are granted
627	* for the SID pair (@scon, @tcon), interpreting the permissions
628	* based on @tclass.
629	* Return %0 if all @perm permissions are granted, -%1 with
630	* @errno set to %EACCES if any permissions are denied or to another
631	* value upon other errors.
632	* If auditing or logging is configured the appropriate callbacks will be called
633	* and passed the auditdata field
634	*/
635	extern int selinux_check_access(const char * scon, const char * tcon, const char tclass, const* char perm, void* *auditdata);
636
637	/ Check a permission in the passwd class.*
638	Return 0 if granted or -1 otherwise. /*
639	extern int selinux_check_passwd_access(access_vector_t requested)
640	#ifdef __GNUC__
641	__attribute__ ((deprecated("Use selinux_check_access")))
642	#endif
643	;
644
645	extern int checkPasswdAccess(access_vector_t requested)
646	#ifdef __GNUC__
647	__attribute__ ((deprecated("Use selinux_check_access")))
648	#endif
649	;
650
651	/ Check if the tty_context is defined as a securetty*
652	Return 0 if secure, < 0 otherwise. /*
653	extern int selinux_check_securetty_context(const char * tty_context);
654
655	/ Set the path to the selinuxfs mount point explicitly.*
656	Normally, this is determined automatically during libselinux
657	initialization, but this is not always possible, e.g. for /sbin/init
658	which performs the initial mount of selinuxfs. /*
659	extern void set_selinuxmnt(const char *mnt);
660
661	/ Check if selinuxfs exists as a kernel filesystem /
662	extern int selinuxfs_exists(void);
663
664	/ clear selinuxmnt variable and free allocated memory /
665	extern void fini_selinuxmnt(void);
666
667	/ Set an appropriate security context based on the filename of a helper*
668	* program, falling back to a new context with the specified type. */
669	extern int setexecfilecon(const char filename, const* char *fallback_type);
670
671	#ifndef DISABLE_RPM
672	/ Execute a helper for rpm in an appropriate security context. /
673	extern int rpm_execcon(unsigned int verified,
674	const char *filename,
675	char *const argv[], char *const envp[])
676	#ifdef __GNUC__
677	__attribute__((deprecated("Use setexecfilecon and execve")))
678	#endif
679	;
680	#endif
681
682	/ Returns whether a file context is customizable, and should not*
683	be relabeled . /*
684	extern int is_context_customizable(const char * scontext);
685
686	/ Perform context translation between the human-readable format*
687	("translated") and the internal system format ("raw").
688	Caller must free the resulting context via freecon.
689	Returns -1 upon an error or 0 otherwise.
690	If passed NULL, sets the returned context to NULL and returns 0. /*
691	extern int selinux_trans_to_raw_context(const char * trans,
692	char ** rawp);
693	extern int selinux_raw_to_trans_context(const char * raw,
694	char ** transp);
695
696	/ Perform context translation between security contexts*
697	and display colors. Returns a space-separated list of ten
698	ten hex RGB triples prefixed by hash marks, e.g. "#ff0000".
699	Caller must free the resulting string via free.
700	Returns -1 upon an error or 0 otherwise. /*
701	extern int selinux_raw_context_to_color(const char * raw,
702	char **color_str);
703
704	/ Get the SELinux username and level to use for a given Linux username.*
705	These values may then be passed into the get_ordered_context_list*
706	and get_default_context functions to obtain a context for the user.*
707	Returns 0 on success or -1 otherwise.
708	Caller must free the returned strings via free. /*
709	extern int getseuserbyname(const char linuxuser, char* *seuser, char* **level);
710
711	/ Get the SELinux username and level to use for a given Linux username and service.*
712	These values may then be passed into the get_ordered_context_list*
713	and get_default_context functions to obtain a context for the user.*
714	Returns 0 on success or -1 otherwise.
715	Caller must free the returned strings via free. /*
716	extern int getseuser(const char username, const* char *service,
717	char *r_seuser, char* **r_level);
718
719	/ Compare two file contexts, return 0 if equivalent. /
720	extern int selinux_file_context_cmp(const char * a,
721	const char * b);
722
723	/*
724	* Verify the context of the file 'path' against policy.
725	* Return 1 if match, 0 if not and -1 on error.
726	*/
727	extern int selinux_file_context_verify(const char *path, mode_t mode);
728
729	/ This function sets the file context on to the system defaults returns 0 on success /
730	extern int selinux_lsetfilecon_default(const char *path);
731
732	/*
733	* Force a reset of the loaded configuration
734	* WARNING: This is not thread safe. Be very sure that no other threads
735	* are calling into libselinux when this is called.
736	*/
737	extern void selinux_reset_config(void);
738
739	#ifdef __cplusplus
740	}
741	#endif
742	#endif
743

source code of include/selinux/selinux.h