Путеводитель по Руководству Linux
  User  |  Syst  |  Libr  |  Device  |  Files  |  Other  |  Admin  |  Head  |


   avc_open    ( 3 )

настройка и разборка SELinux AVC в пользовательском пространстве (userspace SELinux AVC setup and teardown)

Имя (Name)

avc_open, avc_destroy, avc_reset, avc_cleanup - userspace SELinux
       AVC setup and teardown

Синопсис (Synopsis)

#include <selinux/selinux.h>
       #include <selinux/avc.h>


       int avc_open(struct selinux_opt *options, unsigned nopt);


       void avc_destroy(void);


       int avc_reset(void);


       void avc_cleanup(void);

Описание (Description)

avc_open() initializes the userspace AVC and must be called
       before any other AVC operation can be performed.


       avc_destroy() destroys the userspace AVC, freeing all internal
       memory structures.  After this call has been made, avc_open()
       must be called again before any AVC operations can be performed.
       avc_destroy() also closes the SELinux status page, which might
       have been opened manually by selinux_status_open(3).


       avc_reset() flushes the userspace AVC, causing it to forget any
       cached access decisions.  The userspace AVC normally calls this
       function automatically when needed, see NETLINK NOTIFICATION
       below.


       avc_cleanup() attempts to free unused memory within the userspace
       AVC, but does not flush any cached access decisions.  Under
       normal operation, calling this function should not be necessary.

Параметры (Options)

The userspace AVC obeys callbacks set via
       selinux_set_callback(3), in particular the logging and audit
       callbacks.


       The options which may be passed to avc_open() include the
       following:


       AVC_OPT_SETENFORCE
              This option forces the userspace AVC into enforcing mode
              if the option value is non-NULL; permissive mode
              otherwise.  The system enforcing mode will be ignored.

Страница состояния ядра (Kernel status page)

Linux kernel version 2.6.37 supports the SELinux kernel status
       page, enabling userspace applications to mmap(2) SELinux status
       state in read-only mode to avoid system calls during the cache
       hit code path.


       avc_open() calls selinux_status_open(3) to initialize the selinux
       status state.


       avc_has_perm(3) and selinux_check_access(3) both check for status
       updates through calls to selinux_status_updated(3) at the start
       of each permission query and take the appropriate action.


       Two status types are currently implemented.  setenforce events
       will change the effective enforcing state used within the AVC,
       and policyload events will result in a cache flush.

Уведомление NETLINK (NETLINK notification)

In the event that the kernel status page is not successfully
       mmap(2)'ed the AVC will default to the netlink fallback
       mechanism, which opens a netlink socket for receiving status
       updates.  setenforce and policyload events will have the same
       results as for the status page implementation, but all status
       update checks will now require a system call.

Возвращаемое значение (Return value)

Functions with a return value return zero on success.  On error,
       -1 is returned and errno is set appropriately.