Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

security_compute_user(3) [centos man page]

security_compute_av(3)					     SELinux API documentation					    security_compute_av(3)

NAME
security_compute_av, security_compute_av_flags, security_compute_create, security_compute_create_name, security_compute_relabel, secu- rity_compute_member, security_compute_user, security_get_initial_context - query the SELinux policy database in the kernel SYNOPSIS
#include <selinux/selinux.h> #include <selinux/flask.h> int security_compute_av(security_context_t scon, security_context_t tcon, security_class_t tclass, access_vector_t requested, struct av_decision *avd); int security_compute_av_raw(security_context_t scon, security_context_t tcon, security_class_t tclass, access_vector_t requested, struct av_decision *avd); int security_compute_av_flags(security_context_t scon, security_context_t tcon, security_class_t tclass, access_vector_t requested, struct av_decision *avd); int security_compute_av_flags_raw(security_context_t scon, security_context_t tcon, security_class_t tclass, access_vector_t requested, struct av_decision *avd); int security_compute_create(security_context_t scon, security_context_t tcon, security_class_t tclass, security_context_t *newcon); int security_compute_create_raw(security_context_t scon, security_context_t tcon, security_class_t tclass, security_context_t *newcon); int security_compute_create_name(security_context_t scon, security_context_t tcon, security_class_t tclass, const char *objname, secu- rity_context_t *newcon); int security_compute_create_name_raw(security_context_t scon, security_context_t tcon, security_class_t tclass, const char *objname, secu- rity_context_t *newcon); int security_compute_relabel(security_context_t scon, security_context_t tcon, security_class_t tclass, security_context_t *newcon); int security_compute_relabel_raw(security_context_t scon, security_context_t tcon, security_class_t tclass, security_context_t *newcon); int security_compute_member(security_context_t scon, security_context_t tcon, security_class_t tclass, security_context_t *newcon); int security_compute_member_raw(security_context_t scon, security_context_t tcon, security_class_t tclass, security_context_t *newcon); int security_compute_user(security_context_t scon, const char *username, security_context_t **con); int security_compute_user_raw(security_context_t scon, const char *username, security_context_t **con); int security_get_initial_context(const char *name, security_context_t *con); int security_get_initial_context_raw(const char *name, security_context_t *con); int selinux_check_access(const security_context_t scon, const security_context_t tcon, const char *class, const char *perm, void *audit- data); int selinux_check_passwd_access(access_vector_t requested); int checkPasswdAccess(access_vector_t requested); DESCRIPTION
security_compute_av() queries whether the policy permits the source context scon to access the target context tcon via class tclass with the requested access vector. The decision is returned in avd. security_compute_av_flags() is identical to security_compute_av but additionally sets the flags field of avd. Currently one flag is sup- ported: SELINUX_AVD_FLAGS_PERMISSIVE, which indicates the decision is computed on a permissive domain. security_compute_create() is used to compute a context to use for labeling a new object in a particular class based on a SID pair. security_compute_create_name() is identical to security_compute_create() but also takes name of the new object in creation as an argument. When TYPE_TRANSITION rule on the given class and a SID pair has object name extension, we shall be able to obtain a correct newcon accord- ing to the security policy. Note that this interface is only supported on the linux 2.6.40 or later. In the older kernel, the object name will be simply ignored. security_compute_relabel() is used to compute the new context to use when relabeling an object, it is used in the pam_selinux.so source and the newrole source to determine the correct label for the tty at login time, but can be used for other things. security_compute_member() is used to compute the context to use when labeling a polyinstantiated object instance. security_compute_user() is used to determine the set of user contexts that can be reached from a source context. It is mainly used by get_ordered_context_list(). security_get_initial_context() is used to get the context of a kernel initial security identifier specified by name security_compute_av_raw(), security_compute_av_flags_raw(), security_compute_create_raw(), security_compute_create_name_raw(), security_compute_relabel_raw(), security_compute_member_raw(), security_compute_user_raw() and security_get_initial_context_raw() behave identically to their non-raw counterparts but do not perform context translation. selinux_check_access() is used to check if the source context has the access permission for the specified class on the target context. selinux_check_passwd_access() is used to check for a permission in the passwd class. selinux_check_passwd_access() uses getprevcon() for the source and target security contexts. checkPasswdAccess() is a deprecated alias of the selinux_check_passwd_access() function. RETURN VALUE
Returns zero on success or -1 on error. SEE ALSO
selinux(8), getcon(3), getfilecon(3), get_ordered_context_list(3) russell@coker.com.au 1 January 2004 security_compute_av(3)
Man Page

Featured Tech Videos