NAME | SYNOPSIS | DESCRIPTION | OPTIONS | NETLINK NOTIFICATION | RETURN VALUE | AUTHOR | SEE ALSO | COLOPHON

avc_open(3)               SELinux API documentation              avc_open(3)

NAME         top

       avc_open, avc_destroy, avc_reset, avc_cleanup - userspace SELinux AVC
       setup and teardown

SYNOPSIS         top

       #include <selinux/selinux.h>
       #include <selinux/avc.h>

       int avc_open(struct selinux_opt *options, unsigned nopt);

       void avc_destroy(void);

       int avc_reset(void);

       void avc_cleanup(void);

DESCRIPTION         top

       avc_open() initializes the userspace AVC and must be called before
       any other AVC operation can be performed.

       avc_destroy() destroys the userspace AVC, freeing all internal memory
       structures.  After this call has been made, avc_open() must be called
       again before any AVC operations can be performed.

       avc_reset() flushes the userspace AVC, causing it to forget any
       cached access decisions.  The userspace AVC normally calls this
       function automatically when needed, see NETLINK NOTIFICATION below.

       avc_cleanup() attempts to free unused memory within the userspace
       AVC, but does not flush any cached access decisions.  Under normal
       operation, calling this function should not be necessary.

OPTIONS         top

       The userspace AVC obeys callbacks set via selinux_set_callback(3), in
       particular the logging and audit callbacks.

       The options which may be passed to avc_open() include the following:

       AVC_OPT_SETENFORCE
              This option forces the userspace AVC into enforcing mode if
              the option value is non-NULL; permissive mode otherwise.  The
              system enforcing mode will be ignored.

NETLINK NOTIFICATION         top

       Beginning with version 2.6.4, the Linux kernel supports SELinux
       status change notification via netlink.  Two message types are
       currently implemented, indicating changes to the enforcing mode and
       to the loaded policy in the kernel, respectively.  The userspace AVC
       listens for these messages and takes the appropriate action,
       modifying the behavior of avc_has_perm(3) to reflect the current
       enforcing mode and flushing the cache on receipt of a policy load
       notification.  Audit messages are produced when netlink notifications
       are processed.

RETURN VALUE         top

       Functions with a return value return zero on success.  On error, -1
       is returned and errno is set appropriately.

AUTHOR         top

       Eamon Walsh <ewalsh@tycho.nsa.gov>

SEE ALSO         top

       selinux(8), avc_has_perm(3), avc_context_to_sid(3),
       avc_cache_stats(3), avc_add_callback(3), selinux_set_callback(3),
       security_compute_av(3)

COLOPHON         top

       This page is part of the selinux (Security-Enhanced Linux user-space
       libraries and tools) project.  Information about the project can be
       found at ⟨https://github.com/SELinuxProject/selinux/wiki⟩.  If you
       have a bug report for this manual page, see 
       ⟨https://github.com/SELinuxProject/selinux/wiki/Contributing⟩.  This
       page was obtained from the project's upstream Git repository 
       ⟨https://github.com/SELinuxProject/selinux⟩ on 2017-07-05.  If you
       discover any rendering problems in this HTML version of the page, or
       you believe there is a better or more up-to-date source for the page,
       or you have corrections or improvements to the information in this
       COLOPHON (which is not part of the original manual page), send a mail
       to man-pages@man7.org

                                 12 Jun 2008                     avc_open(3)

Pages that refer to this page: avc_add_callback(3)avc_context_to_sid(3)avc_init(3)avc_netlink_loop(3)