selinux_set_mapping(3) — Linux manual page


selinux_set_mapping(3)    SELinux API documentation   selinux_set_mapping(3)

NAME         top

       selinux_set_mapping  -  establish dynamic object class and permission

SYNOPSIS         top

       #include <selinux/selinux.h>

       struct security_class_mapping {
            const char *name;
            const char *perms[];

       int selinux_set_mapping(struct security_class_mapping *map);

DESCRIPTION         top

       selinux_set_mapping() establishes a mapping from a user-provided
       ordering of object classes and permissions to the numbers actually
       used by the loaded system policy. If using this function,
       applications should also set a SELINUX_CB_POLICYLOAD callback via
       selinux_set_callback(3) that calls this function again upon a policy
       reload to re-create the mapping in case the class or permission
       values change in the new policy.  Generally it is preferred to
       instead use selinux_check_access(3) instead of avc_has_perm(3) or
       security_compute_av(3) and not use this function at all.

       After the mapping is established, all libselinux functions that
       operate on class and permission values take the user-provided
       numbers, which are determined as follows:

       The map argument consists of an array of security_class_mapping
       structures, which must be terminated by a structure having a NULL
       name field.  Except for this last structure, the name field should
       refer to the string name of an object class, and the corresponding
       perms field should refer to an array of permission bit names
       terminated by a NULL string.

       The object classes named in the mapping and the bit indexes of each
       set of permission bits named in the mapping are numbered in order
       starting from 1.  These numbers are the values that should be passed
       to subsequent libselinux calls.

RETURN VALUE         top

       Zero is returned on success.  On error, -1 is returned and errno is
       set appropriately.

ERRORS         top

       EINVAL One of the class or permission names requested in the mapping
              is not present in the loaded policy.

       ENOMEM An attempt to allocate memory failed.

EXAMPLE         top

              struct security_class_mapping map[] = {
                  { "file", { "create", "unlink", "read", "write", NULL } },
                  { "socket", { "bind", NULL } },
                  { "process", { "signal", NULL } },
                  { NULL }

              if (selinux_set_mapping(map) < 0)

       In this example, after the call has succeeded, classes file, socket,
       and process will be identified by 1, 2 and 3, respectively.
       Permissions create, unlink, read, and write (for the file class) will
       be identified by 1, 2, 4, and 8 respectively.  Classes and
       permissions not listed in the mapping cannot be used.

AUTHOR         top

       Originally Eamon Walsh.  Updated by Stephen Smalley

SEE ALSO         top

       selinux_check_access(3), selinux_set_callback(3), avc_has_perm(3),

COLOPHON         top

       This page is part of the selinux (Security-Enhanced Linux user-space
       libraries and tools) project.  Information about the project can be
       found at ⟨⟩.  If you
       have a bug report for this manual page, see
       ⟨⟩.  This
       page was obtained from the project's upstream Git repository
       ⟨⟩ on 2020-09-18.  (At that
       time, the date of the most recent commit that was found in the repos‐
       itory was 2020-09-17.)  If you discover any rendering problems in
       this HTML version of the page, or you believe there is a better or
       more up-to-date source for the page, or you have corrections or
       improvements to the information in this COLOPHON (which is not part
       of the original manual page), send a mail to

                                 12 Jun 2008          selinux_set_mapping(3)

Pages that refer to this page: avc_audit(3)avc_entry_ref_init(3)avc_has_perm(3)avc_has_perm_noaudit(3)checkpasswdaccess(3)checkPasswdAccess(3)security_compute_av(3)security_compute_av_flags(3)security_compute_av_flags_raw(3)security_compute_av_raw(3)security_compute_create(3)security_compute_create_name(3)security_compute_create_name_raw(3)security_compute_create_raw(3)security_compute_member(3)security_compute_member_raw(3)security_compute_relabel(3)security_compute_relabel_raw(3)security_compute_user(3)security_compute_user_raw(3)security_get_initial_context(3)security_get_initial_context_raw(3)security_validatetrans(3)selinux_check_access(3)selinux_check_passwd_access(3)