avc_open() initializes the userspace AVC and must be called before
any other AVC operation can be performed.
avc_destroy() destroys the userspace AVC, freeing all internal memory
structures. After this call has been made, avc_open() must be called
again before any AVC operations can be performed.
avc_reset() flushes the userspace AVC, causing it to forget any
cached access decisions. The userspace AVC normally calls this
function automatically when needed, see NETLINK NOTIFICATION below.
avc_cleanup() attempts to free unused memory within the userspace
AVC, but does not flush any cached access decisions. Under normal
operation, calling this function should not be necessary.
The userspace AVC obeys callbacks set via selinux_set_callback(3), in
particular the logging and audit callbacks.
The options which may be passed to avc_open() include the following:
This option forces the userspace AVC into enforcing mode if
the option value is non-NULL; permissive mode otherwise. The
system enforcing mode will be ignored.
Linux kernel version 2.6.37 supports the SELinux kernel status page,
enabling userspace applications to mmap(2) SELinux status state in
read-only mode to avoid system calls during the cache hit code path.
avc_open() calls selinux_status_open(3) to initialize the selinux
avc_has_perm(3) and selinux_check_access(3) both check for status
updates through calls to selinux_status_updated(3) at the start of
each permission query and take the appropriate action.
Two status types are currently implemented. setenforce events will
change the effective enforcing state used within the AVC, and
policyload events will result in a cache flush.
In the event that the kernel status page is not successfully
mmap(2)'ed the AVC will default to the netlink fallback mechanism,
which opens a netlink socket for receiving status updates.
setenforce and policyload events will have the same results as for
the status page implementation, but all status update checks will now
require a system call.
This page is part of the selinux (Security-Enhanced Linux user-space
libraries and tools) project. Information about the project can be
found at ⟨https://github.com/SELinuxProject/selinux/wiki⟩. If you
have a bug report for this manual page, see
page was obtained from the project's upstream Git repository
⟨https://github.com/SELinuxProject/selinux⟩ on 2020-08-13. (At that
time, the date of the most recent commit that was found in the repos‐
itory was 2020-08-11.) If you discover any rendering problems in
this HTML version of the page, or you believe there is a better or
more up-to-date source for the page, or you have corrections or
improvements to the information in this COLOPHON (which is not part
of the original manual page), send a mail to email@example.com
12 Jun 2008 avc_open(3)