man7.org > Linux > man-pages

Linux/UNIX system programming training

avc_open(3) — Linux manual page

NAME | SYNOPSIS | DESCRIPTION | OPTIONS | KERNEL STATUS PAGE | NETLINK NOTIFICATION | RETURN VALUE | AUTHOR | SEE ALSO | COLOPHON 

avc_open(3)             SELinux API documentation             avc_open(3)

NAME         top

       avc_open, avc_destroy, avc_reset, avc_cleanup - userspace SELinux
       AVC setup and teardown

SYNOPSIS         top

       #include <selinux/selinux.h>
       #include <selinux/avc.h>

       int avc_open(const struct selinux_opt *options, unsigned nopt);

       void avc_destroy(void);

       int avc_reset(void);

       void avc_cleanup(void);

DESCRIPTION         top

       avc_open() initializes the userspace AVC and must be called before
       any other AVC operation can be performed.

       avc_destroy() destroys the userspace AVC, freeing all internal
       memory structures.  After this call has been made, avc_open() must
       be called again before any AVC operations can be performed.
       avc_destroy() also closes the SELinux status page, which might
       have been opened manually by selinux_status_open(3).

       avc_reset() flushes the userspace AVC, causing it to forget any
       cached access decisions.  The userspace AVC normally calls this
       function automatically when needed, see NETLINK NOTIFICATION
       below.

       avc_cleanup() attempts to free unused memory within the userspace
       AVC, but does not flush any cached access decisions.  Under normal
       operation, calling this function should not be necessary.

OPTIONS         top

       The userspace AVC obeys callbacks set via selinux_set_callback(3),
       in particular the logging and audit callbacks.

       The options which may be passed to avc_open() include the
       following:

       AVC_OPT_SETENFORCE
              This option forces the userspace AVC into enforcing mode if
              the option value is non-NULL; permissive mode otherwise.
              The system enforcing mode will be ignored.

KERNEL STATUS PAGE         top

       Linux kernel version 2.6.37 supports the SELinux kernel status
       page, enabling userspace applications to mmap(2) SELinux status
       state in read-only mode to avoid system calls during the cache hit
       code path.

       avc_open() calls selinux_status_open(3) to initialize the selinux
       status state.

       avc_has_perm(3) and selinux_check_access(3) both check for status
       updates through calls to selinux_status_updated(3) at the start of
       each permission query and take the appropriate action.

       Two status types are currently implemented.  setenforce events
       will change the effective enforcing state used within the AVC, and
       policyload events will result in a cache flush.

NETLINK NOTIFICATION         top

       In the event that the kernel status page is not successfully
       mmap(2)'ed the AVC will default to the netlink fallback mechanism,
       which opens a netlink socket for receiving status updates.
       setenforce and policyload events will have the same results as for
       the status page implementation, but all status update checks will
       now require a system call.

RETURN VALUE         top

       Functions with a return value return zero on success.  On error,
       -1 is returned and errno is set appropriately.

AUTHOR         top

       Eamon Walsh <ewalsh@tycho.nsa.gov>

SEE ALSO         top

       selinux(8), selinux_check_access(3), avc_has_perm(3),
       avc_context_to_sid(3), avc_cache_stats(3), avc_add_callback(3),
       selinux_status_open(3), selinux_status_updated(3),
       selinux_set_callback(3), security_compute_av(3)

COLOPHON         top

       This page is part of the selinux (Security-Enhanced Linux user-
       space libraries and tools) project.  Information about the project
       can be found at ⟨https://github.com/SELinuxProject/selinux/wiki⟩.
       If you have a bug report for this manual page, see
       ⟨https://github.com/SELinuxProject/selinux/wiki/Contributing⟩.
       This page was obtained from the project's upstream Git repository
       ⟨https://github.com/SELinuxProject/selinux⟩ on 2025-08-11.  (At
       that time, the date of the most recent commit that was found in
       the repository was 2025-08-04.)  If you discover any rendering
       problems in this HTML version of the page, or you believe there is
       a better or more up-to-date source for the page, or you have
       corrections or improvements to the information in this COLOPHON
       (which is not part of the original manual page), send a mail to
       man-pages@man7.org

                               12 Jun 2008                    avc_open(3)

Pages that refer to this page: avc_add_callback(3)avc_context_to_sid(3)avc_init(3)avc_netlink_loop(3)

HTML rendering created 2025-09-06 by Michael Kerrisk, author of The Linux Programming Interface.

For details of in-depth Linux/UNIX system programming training courses that I teach, look here.

Hosting by jambit GmbH.

Cover of TLPI