selabel_media(5) — Linux manual page


selabel_media(5)        SELinux API documentation       selabel_media(5)

NAME         top

       selabel_media - userspace SELinux labeling interface and
       configuration file format for the media contexts backend

SYNOPSIS         top

       #include <selinux/label.h>

       int selabel_lookup(struct selabel_handle *hnd,
                          char **context,
                          const char *device_name, int unused);

       int selabel_lookup_raw(struct selabel_handle *hnd,
                          char **context,
                          const char *device_name, int unused);

DESCRIPTION         top

       The media contexts backend maps from media device names such as
       "cdrom" or "floppy" into security contexts. It is used to find
       the appropriate context for establishing context mounts on these
       devices. The returned context must be freed using freecon(3).
       selabel_lookup(3) describes the function with its return and
       error codes.

       The integer lookup argument is currently unused and should be set
       to zero.

       Any messages generated by selabel_lookup(3) are sent to stderr by
       default, although this can be changed by selinux_set_callback(3).

       selabel_lookup_raw(3) behaves identically to selabel_lookup(3)
       but does not perform context translation.

       The FILES section details the configuration files used to
       determine the media context.

OPTIONS         top

       In addition to the global options described in selabel_open(3),
       this backend recognizes the following options:

              A non-null value for this option specifies a path to a
              file that will be opened in lieu of the standard media
              contexts file.

FILES         top

       The media context file used to retrieve a default context depends
       on the SELABEL_OPT_PATH parameter passed to selabel_open(3). If
       NULL, then the SELABEL_OPT_PATH value will default to the active
       policy media contexts location (as returned by
       selinux_media_context_path(3)), otherwise the actual
       SELABEL_OPT_PATH value specified is used.

       The default media contexts file is:

       Where {SELINUXTYPE} is the entry from the selinux configuration
       file config (see selinux_config(5)).

FILE FORMAT         top

       Each line within the media file is as follows:
              device_name context

                     The media identifier (e.g. cdrom, floppy, disk and
                     The context to be used for labeling the device.

              # contexts/files/media
              cdrom system_u:object_r:removable_device_t
              floppy system_u:object_r:removable_device_t
              disk system_u:object_r:fixed_disk_device_t

NOTES         top

       If contexts are to be validated, then the global option
       SELABEL_OPT_VALIDATE must be set before calling selabel_open(3).
       If this is not set, then it is possible for an invalid context to
       be returned.

SEE ALSO         top

       selinux(8), selabel_open(3), selabel_lookup(3), selabel_stats(3),
       selabel_close(3), selinux_set_callback(3),
       selinux_media_context_path(3), freecon(3), selinux_config(5)

COLOPHON         top

       This page is part of the selinux (Security-Enhanced Linux user-
       space libraries and tools) project.  Information about the
       project can be found at 
       ⟨⟩.  If you have a
       bug report for this manual page, see
       This page was obtained from the project's upstream Git repository
       ⟨⟩ on 2024-06-14.  (At
       that time, the date of the most recent commit that was found in
       the repository was 2023-05-11.)  If you discover any rendering
       problems in this HTML version of the page, or you believe there
       is a better or more up-to-date source for the page, or you have
       corrections or improvements to the information in this COLOPHON
       (which is not part of the original manual page), send a mail to

Security Enhanced Linux        29 Nov 2011              selabel_media(5)

Pages that refer to this page: selabel_open(3)