1 #ifndef _SELINUX_H_ 2 #define _SELINUX_H_ 3 4 #include <sys/types.h> 5 #include <stdarg.h> 6 7 #ifdef __cplusplus 8 extern "C" { 9 #endif 10 11 /* Return 1 if we are running on a SELinux kernel, or 0 if not or -1 if we get an error. */ 12 extern int is_selinux_enabled(void); 13 /* Return 1 if we are running on a SELinux MLS kernel, or 0 otherwise. */ 14 extern int is_selinux_mls_enabled(void); 15 16 /* No longer used; here for compatibility with legacy callers. */ 17 typedef char *security_context_t; 18 19 /* Free the memory allocated for a context by any of the below get* calls. */ 20 extern void freecon(char * con); 21 22 /* Free the memory allocated for a context array by security_compute_user. */ 23 extern void freeconary(char ** con); 24 25 /* Wrappers for the /proc/pid/attr API. */ 26 27 /* Get current context, and set *con to refer to it. 28 Caller must free via freecon. */ 29 extern int getcon(char ** con); 30 extern int getcon_raw(char ** con); 31 32 /* Set the current security context to con. 33 Note that use of this function requires that the entire application 34 be trusted to maintain any desired separation between the old and new 35 security contexts, unlike exec-based transitions performed via setexeccon. 36 When possible, decompose your application and use setexeccon()+execve() 37 instead. Note that the application may lose access to its open descriptors 38 as a result of a setcon() unless policy allows it to use descriptors opened 39 by the old context. */ 40 extern int setcon(const char * con); 41 extern int setcon_raw(const char * con); 42 43 /* Get context of process identified by pid, and 44 set *con to refer to it. Caller must free via freecon. */ 45 extern int getpidcon(pid_t pid, char ** con); 46 extern int getpidcon_raw(pid_t pid, char ** con); 47 48 /* Get previous context (prior to last exec), and set *con to refer to it. 49 Caller must free via freecon. */ 50 extern int getprevcon(char ** con); 51 extern int getprevcon_raw(char ** con); 52 53 /* Get exec context, and set *con to refer to it. 54 Sets *con to NULL if no exec context has been set, i.e. using default. 55 If non-NULL, caller must free via freecon. */ 56 extern int getexeccon(char ** con); 57 extern int getexeccon_raw(char ** con); 58 59 /* Set exec security context for the next execve. 60 Call with NULL if you want to reset to the default. */ 61 extern int setexeccon(const char * con); 62 extern int setexeccon_raw(const char * con); 63 64 /* Get fscreate context, and set *con to refer to it. 65 Sets *con to NULL if no fs create context has been set, i.e. using default. 66 If non-NULL, caller must free via freecon. */ 67 extern int getfscreatecon(char ** con); 68 extern int getfscreatecon_raw(char ** con); 69 70 /* Set the fscreate security context for subsequent file creations. 71 Call with NULL if you want to reset to the default. */ 72 extern int setfscreatecon(const char * context); 73 extern int setfscreatecon_raw(const char * context); 74 75 /* Get keycreate context, and set *con to refer to it. 76 Sets *con to NULL if no key create context has been set, i.e. using default. 77 If non-NULL, caller must free via freecon. */ 78 extern int getkeycreatecon(char ** con); 79 extern int getkeycreatecon_raw(char ** con); 80 81 /* Set the keycreate security context for subsequent key creations. 82 Call with NULL if you want to reset to the default. */ 83 extern int setkeycreatecon(const char * context); 84 extern int setkeycreatecon_raw(const char * context); 85 86 /* Get sockcreate context, and set *con to refer to it. 87 Sets *con to NULL if no socket create context has been set, i.e. using default. 88 If non-NULL, caller must free via freecon. */ 89 extern int getsockcreatecon(char ** con); 90 extern int getsockcreatecon_raw(char ** con); 91 92 /* Set the sockcreate security context for subsequent socket creations. 93 Call with NULL if you want to reset to the default. */ 94 extern int setsockcreatecon(const char * context); 95 extern int setsockcreatecon_raw(const char * context); 96 97 /* Wrappers for the xattr API. */ 98 99 /* Get file context, and set *con to refer to it. 100 Caller must free via freecon. */ 101 extern int getfilecon(const char *path, char ** con); 102 extern int getfilecon_raw(const char *path, char ** con); 103 extern int lgetfilecon(const char *path, char ** con); 104 extern int lgetfilecon_raw(const char *path, char ** con); 105 extern int fgetfilecon(int fd, char ** con); 106 extern int fgetfilecon_raw(int fd, char ** con); 107 108 /* Set file context */ 109 extern int setfilecon(const char *path, const char * con); 110 extern int setfilecon_raw(const char *path, const char * con); 111 extern int lsetfilecon(const char *path, const char * con); 112 extern int lsetfilecon_raw(const char *path, const char * con); 113 extern int fsetfilecon(int fd, const char * con); 114 extern int fsetfilecon_raw(int fd, const char * con); 115 116 /* Wrappers for the socket API */ 117 118 /* Get context of peer socket, and set *con to refer to it. 119 Caller must free via freecon. */ 120 extern int getpeercon(int fd, char ** con); 121 extern int getpeercon_raw(int fd, char ** con); 122 123 /* Wrappers for the selinuxfs (policy) API. */ 124 125 typedef unsigned int access_vector_t; 126 typedef unsigned short security_class_t; 127 128 struct av_decision { 129 access_vector_t allowed; 130 access_vector_t decided; 131 access_vector_t auditallow; 132 access_vector_t auditdeny; 133 unsigned int seqno; 134 unsigned int flags; 135 }; 136 137 /* Definitions of av_decision.flags */ 138 #define SELINUX_AVD_FLAGS_PERMISSIVE 0x0001 139 140 /* Structure for passing options, used by AVC and label subsystems */ 141 struct selinux_opt { 142 int type; 143 const char *value; 144 }; 145 146 /* Callback facilities */ 147 union selinux_callback { 148 /* log the printf-style format and arguments, 149 with the type code indicating the type of message */ 150 int 151 #ifdef __GNUC__ 152 __attribute__ ((format(printf, 2, 3))) 153 #endif 154 (*func_log) (int type, const char *fmt, ...); 155 /* store a string representation of auditdata (corresponding 156 to the given security class) into msgbuf. */ 157 int (*func_audit) (void *auditdata, security_class_t cls, 158 char *msgbuf, size_t msgbufsize); 159 /* validate the supplied context, modifying if necessary */ 160 int (*func_validate) (char **ctx); 161 /* netlink callback for setenforce message */ 162 int (*func_setenforce) (int enforcing); 163 /* netlink callback for policyload message */ 164 int (*func_policyload) (int seqno); 165 }; 166 167 #define SELINUX_CB_LOG 0 168 #define SELINUX_CB_AUDIT 1 169 #define SELINUX_CB_VALIDATE 2 170 #define SELINUX_CB_SETENFORCE 3 171 #define SELINUX_CB_POLICYLOAD 4 172 173 extern union selinux_callback selinux_get_callback(int type); 174 extern void selinux_set_callback(int type, union selinux_callback cb); 175 176 /* Logging type codes, passed to the logging callback */ 177 #define SELINUX_ERROR 0 178 #define SELINUX_WARNING 1 179 #define SELINUX_INFO 2 180 #define SELINUX_AVC 3 181 #define SELINUX_TRANS_DIR "/var/run/setrans" 182 183 /* Compute an access decision. */ 184 extern int security_compute_av(const char * scon, 185 const char * tcon, 186 security_class_t tclass, 187 access_vector_t requested, 188 struct av_decision *avd); 189 extern int security_compute_av_raw(const char * scon, 190 const char * tcon, 191 security_class_t tclass, 192 access_vector_t requested, 193 struct av_decision *avd); 194 195 extern int security_compute_av_flags(const char * scon, 196 const char * tcon, 197 security_class_t tclass, 198 access_vector_t requested, 199 struct av_decision *avd); 200 extern int security_compute_av_flags_raw(const char * scon, 201 const char * tcon, 202 security_class_t tclass, 203 access_vector_t requested, 204 struct av_decision *avd); 205 206 /* Compute a labeling decision and set *newcon to refer to it. 207 Caller must free via freecon. */ 208 extern int security_compute_create(const char * scon, 209 const char * tcon, 210 security_class_t tclass, 211 char ** newcon); 212 extern int security_compute_create_raw(const char * scon, 213 const char * tcon, 214 security_class_t tclass, 215 char ** newcon); 216 extern int security_compute_create_name(const char * scon, 217 const char * tcon, 218 security_class_t tclass, 219 const char *objname, 220 char ** newcon); 221 extern int security_compute_create_name_raw(const char * scon, 222 const char * tcon, 223 security_class_t tclass, 224 const char *objname, 225 char ** newcon); 226 227 /* Compute a relabeling decision and set *newcon to refer to it. 228 Caller must free via freecon. */ 229 extern int security_compute_relabel(const char * scon, 230 const char * tcon, 231 security_class_t tclass, 232 char ** newcon); 233 extern int security_compute_relabel_raw(const char * scon, 234 const char * tcon, 235 security_class_t tclass, 236 char ** newcon); 237 238 /* Compute a polyinstantiation member decision and set *newcon to refer to it. 239 Caller must free via freecon. */ 240 extern int security_compute_member(const char * scon, 241 const char * tcon, 242 security_class_t tclass, 243 char ** newcon); 244 extern int security_compute_member_raw(const char * scon, 245 const char * tcon, 246 security_class_t tclass, 247 char ** newcon); 248 249 /* Compute the set of reachable user contexts and set *con to refer to 250 the NULL-terminated array of contexts. Caller must free via freeconary. */ 251 extern int security_compute_user(const char * scon, 252 const char *username, 253 char *** con); 254 extern int security_compute_user_raw(const char * scon, 255 const char *username, 256 char *** con); 257 258 /* Load a policy configuration. */ 259 extern int security_load_policy(void *data, size_t len); 260 261 /* Get the context of an initial kernel security identifier by name. 262 Caller must free via freecon */ 263 extern int security_get_initial_context(const char *name, 264 char ** con); 265 extern int security_get_initial_context_raw(const char *name, 266 char ** con); 267 268 /* 269 * Make a policy image and load it. 270 * This function provides a higher level interface for loading policy 271 * than security_load_policy, internally determining the right policy 272 * version, locating and opening the policy file, mapping it into memory, 273 * manipulating it as needed for current boolean settings and/or local 274 * definitions, and then calling security_load_policy to load it. 275 * 276 * 'preservebools' is a boolean flag indicating whether current 277 * policy boolean values should be preserved into the new policy (if 1) 278 * or reset to the saved policy settings (if 0). The former case is the 279 * default for policy reloads, while the latter case is an option for policy 280 * reloads but is primarily for the initial policy load. 281 */ 282 extern int selinux_mkload_policy(int preservebools); 283 284 /* 285 * Perform the initial policy load. 286 * This function determines the desired enforcing mode, sets the 287 * the *enforce argument accordingly for the caller to use, sets the 288 * SELinux kernel enforcing status to match it, and loads the policy. 289 * It also internally handles the initial selinuxfs mount required to 290 * perform these actions. 291 * 292 * The function returns 0 if everything including the policy load succeeds. 293 * In this case, init is expected to re-exec itself in order to transition 294 * to the proper security context. 295 * Otherwise, the function returns -1, and init must check *enforce to 296 * determine how to proceed. If enforcing (*enforce > 0), then init should 297 * halt the system. Otherwise, init may proceed normally without a re-exec. 298 */ 299 extern int selinux_init_load_policy(int *enforce); 300 301 /* Translate boolean strict to name value pair. */ 302 typedef struct { 303 char *name; 304 int value; 305 } SELboolean; 306 /* save a list of booleans in a single transaction. */ 307 extern int security_set_boolean_list(size_t boolcnt, 308 SELboolean * boollist, int permanent); 309 310 /* Load policy boolean settings. 311 Path may be NULL, in which case the booleans are loaded from 312 the active policy boolean configuration file. */ 313 extern int security_load_booleans(char *path); 314 315 /* Check the validity of a security context. */ 316 extern int security_check_context(const char * con); 317 extern int security_check_context_raw(const char * con); 318 319 /* Canonicalize a security context. */ 320 extern int security_canonicalize_context(const char * con, 321 char ** canoncon); 322 extern int security_canonicalize_context_raw(const char * con, 323 char ** canoncon); 324 325 /* Get the enforce flag value. */ 326 extern int security_getenforce(void); 327 328 /* Set the enforce flag value. */ 329 extern int security_setenforce(int value); 330 331 /* Get the load-time behavior for undefined classes/permissions */ 332 extern int security_reject_unknown(void); 333 334 /* Get the runtime behavior for undefined classes/permissions */ 335 extern int security_deny_unknown(void); 336 337 /* Get the checkreqprot value */ 338 extern int security_get_checkreqprot(void); 339 340 /* Disable SELinux at runtime (must be done prior to initial policy load). */ 341 extern int security_disable(void); 342 343 /* Get the policy version number. */ 344 extern int security_policyvers(void); 345 346 /* Get the boolean names */ 347 extern int security_get_boolean_names(char ***names, int *len); 348 349 /* Get the pending value for the boolean */ 350 extern int security_get_boolean_pending(const char *name); 351 352 /* Get the active value for the boolean */ 353 extern int security_get_boolean_active(const char *name); 354 355 /* Set the pending value for the boolean */ 356 extern int security_set_boolean(const char *name, int value); 357 358 /* Commit the pending values for the booleans */ 359 extern int security_commit_booleans(void); 360 361 /* Userspace class mapping support */ 362 struct security_class_mapping { 363 const char *name; 364 const char *perms[sizeof(access_vector_t) * 8 + 1]; 365 }; 366 367 /** 368 * selinux_set_mapping - Enable dynamic mapping between integer offsets and security class names 369 * @map: array of security_class_mapping structures 370 * 371 * The core avc_has_perm() API uses integers to represent security 372 * classes; previous to the introduction of this function, it was 373 * common for userspace object managers to be compiled using generated 374 * offsets for a particular policy. However, that strongly ties the build of the userspace components to a particular policy. 375 * 376 * By using this function to map between integer offsets and security 377 * class names, it's possible to replace a system policies that have 378 * at least the same set of security class names as used by the 379 * userspace object managers. 380 * 381 * To correctly use this function, you should override the generated 382 * security class defines from the system policy in a local header, 383 * starting at 1, and have one security_class_mapping structure entry 384 * per define. 385 */ 386 extern int selinux_set_mapping(struct security_class_mapping *map); 387 388 /* Common helpers */ 389 390 /* Convert between mode and security class values */ 391 extern security_class_t mode_to_security_class(mode_t mode); 392 /* Convert between security class values and string names */ 393 extern security_class_t string_to_security_class(const char *name); 394 extern const char *security_class_to_string(security_class_t cls); 395 396 /* Convert between individual access vector permissions and string names */ 397 extern const char *security_av_perm_to_string(security_class_t tclass, 398 access_vector_t perm); 399 extern access_vector_t string_to_av_perm(security_class_t tclass, 400 const char *name); 401 402 /* Returns an access vector in a string representation. User must free the 403 * returned string via free(). */ 404 extern int security_av_string(security_class_t tclass, 405 access_vector_t av, char **result); 406 407 /* Display an access vector in a string representation. */ 408 extern void print_access_vector(security_class_t tclass, access_vector_t av); 409 410 /* Set the function used by matchpathcon_init when displaying 411 errors about the file_contexts configuration. If not set, 412 then this defaults to fprintf(stderr, fmt, ...). */ 413 extern void set_matchpathcon_printf(void (*f) (const char *fmt, ...)); 414 415 /* Set the function used by matchpathcon_init when checking the 416 validity of a context in the file contexts configuration. If not set, 417 then this defaults to a test based on security_check_context(). 418 The function is also responsible for reporting any such error, and 419 may include the 'path' and 'lineno' in such error messages. */ 420 extern void set_matchpathcon_invalidcon(int (*f) (const char *path, 421 unsigned lineno, 422 char *context)); 423 424 /* Same as above, but also allows canonicalization of the context, 425 by changing *context to refer to the canonical form. If not set, 426 and invalidcon is also not set, then this defaults to calling 427 security_canonicalize_context(). */ 428 extern void set_matchpathcon_canoncon(int (*f) (const char *path, 429 unsigned lineno, 430 char **context)); 431 432 /* Set flags controlling operation of matchpathcon_init or matchpathcon. */ 433 #define MATCHPATHCON_BASEONLY 1 /* Only process the base file_contexts file. */ 434 #define MATCHPATHCON_NOTRANS 2 /* Do not perform any context translation. */ 435 #define MATCHPATHCON_VALIDATE 4 /* Validate/canonicalize contexts at init time. */ 436 extern void set_matchpathcon_flags(unsigned int flags); 437 438 /* Load the file contexts configuration specified by 'path' 439 into memory for use by subsequent matchpathcon calls. 440 If 'path' is NULL, then load the active file contexts configuration, 441 i.e. the path returned by selinux_file_context_path(). 442 Unless the MATCHPATHCON_BASEONLY flag has been set, this 443 function also checks for a 'path'.homedirs file and 444 a 'path'.local file and loads additional specifications 445 from them if present. */ 446 extern int matchpathcon_init(const char *path); 447 448 /* Same as matchpathcon_init, but only load entries with 449 regexes that have stems that are prefixes of 'prefix'. */ 450 extern int matchpathcon_init_prefix(const char *path, const char *prefix); 451 452 /* Free the memory allocated by matchpathcon_init. */ 453 extern void matchpathcon_fini(void); 454 455 /* Resolve all of the symlinks and relative portions of a pathname, but NOT 456 * the final component (same a realpath() unless the final component is a 457 * symlink. Resolved path must be a path of size PATH_MAX + 1 */ 458 extern int realpath_not_final(const char *name, char *resolved_path); 459 460 /* Match the specified pathname and mode against the file contexts 461 configuration and set *con to refer to the resulting context. 462 'mode' can be 0 to disable mode matching. 463 Caller must free via freecon. 464 If matchpathcon_init has not already been called, then this function 465 will call it upon its first invocation with a NULL path. */ 466 extern int matchpathcon(const char *path, 467 mode_t mode, char ** con); 468 469 /* Same as above, but return a specification index for 470 later use in a matchpathcon_filespec_add() call - see below. */ 471 extern int matchpathcon_index(const char *path, 472 mode_t mode, char ** con); 473 474 /* Maintain an association between an inode and a specification index, 475 and check whether a conflicting specification is already associated 476 with the same inode (e.g. due to multiple hard links). If so, then 477 use the latter of the two specifications based on their order in the 478 file contexts configuration. Return the used specification index. */ 479 extern int matchpathcon_filespec_add(ino_t ino, int specind, const char *file); 480 481 /* Destroy any inode associations that have been added, e.g. to restart 482 for a new filesystem. */ 483 extern void matchpathcon_filespec_destroy(void); 484 485 /* Display statistics on the hash table usage for the associations. */ 486 extern void matchpathcon_filespec_eval(void); 487 488 /* Check to see whether any specifications had no matches and report them. 489 The 'str' is used as a prefix for any warning messages. */ 490 extern void matchpathcon_checkmatches(char *str); 491 492 /* Match the specified media and against the media contexts 493 configuration and set *con to refer to the resulting context. 494 Caller must free con via freecon. */ 495 extern int matchmediacon(const char *media, char ** con); 496 497 /* 498 selinux_getenforcemode reads the /etc/selinux/config file and determines 499 whether the machine should be started in enforcing (1), permissive (0) or 500 disabled (-1) mode. 501 */ 502 extern int selinux_getenforcemode(int *enforce); 503 504 /* 505 selinux_boolean_sub reads the /etc/selinux/TYPE/booleans.subs_dist file 506 looking for a record with boolean_name. If a record exists selinux_boolean_sub 507 returns the translated name otherwise it returns the original name. 508 The returned value needs to be freed. On failure NULL will be returned. 509 */ 510 extern char *selinux_boolean_sub(const char *boolean_name); 511 512 /* 513 selinux_getpolicytype reads the /etc/selinux/config file and determines 514 what the default policy for the machine is. Calling application must 515 free policytype. 516 */ 517 extern int selinux_getpolicytype(char **policytype); 518 519 /* 520 selinux_policy_root reads the /etc/selinux/config file and returns 521 the directory path under which the compiled policy file and context 522 configuration files exist. 523 */ 524 extern const char *selinux_policy_root(void); 525 526 /* 527 selinux_set_policy_root sets an alternate policy root directory path under 528 which the compiled policy file and context configuration files exist. 529 */ 530 extern int selinux_set_policy_root(const char *rootpath); 531 532 /* These functions return the paths to specific files under the 533 policy root directory. */ 534 extern const char *selinux_current_policy_path(void); 535 extern const char *selinux_binary_policy_path(void); 536 extern const char *selinux_failsafe_context_path(void); 537 extern const char *selinux_removable_context_path(void); 538 extern const char *selinux_default_context_path(void); 539 extern const char *selinux_user_contexts_path(void); 540 extern const char *selinux_file_context_path(void); 541 extern const char *selinux_file_context_homedir_path(void); 542 extern const char *selinux_file_context_local_path(void); 543 extern const char *selinux_file_context_subs_path(void); 544 extern const char *selinux_file_context_subs_dist_path(void); 545 extern const char *selinux_homedir_context_path(void); 546 extern const char *selinux_media_context_path(void); 547 extern const char *selinux_virtual_domain_context_path(void); 548 extern const char *selinux_virtual_image_context_path(void); 549 extern const char *selinux_lxc_contexts_path(void); 550 extern const char *selinux_x_context_path(void); 551 extern const char *selinux_sepgsql_context_path(void); 552 extern const char *selinux_openrc_contexts_path(void); 553 extern const char *selinux_openssh_contexts_path(void); 554 extern const char *selinux_snapperd_contexts_path(void); 555 extern const char *selinux_systemd_contexts_path(void); 556 extern const char *selinux_contexts_path(void); 557 extern const char *selinux_securetty_types_path(void); 558 extern const char *selinux_booleans_subs_path(void); 559 extern const char *selinux_booleans_path(void); 560 extern const char *selinux_customizable_types_path(void); 561 extern const char *selinux_users_path(void); 562 extern const char *selinux_usersconf_path(void); 563 extern const char *selinux_translations_path(void); 564 extern const char *selinux_colors_path(void); 565 extern const char *selinux_netfilter_context_path(void); 566 extern const char *selinux_path(void); 567 568 /** 569 * selinux_check_access - Check permissions and perform appropriate auditing. 570 * @scon: source security context 571 * @tcon: target security context 572 * @tclass: target security class string 573 * @perm: requested permissions string, interpreted based on @tclass 574 * @auditdata: auxiliary audit data 575 * 576 * Check the AVC to determine whether the @perm permissions are granted 577 * for the SID pair (@scon, @tcon), interpreting the permissions 578 * based on @tclass. 579 * Return %0 if all @perm permissions are granted, -%1 with 580 * @errno set to %EACCES if any permissions are denied or to another 581 * value upon other errors. 582 * If auditing or logging is configured the appropriate callbacks will be called 583 * and passed the auditdata field 584 */ 585 extern int selinux_check_access(const char * scon, const char * tcon, const char *tclass, const char *perm, void *auditdata); 586 587 /* Check a permission in the passwd class. 588 Return 0 if granted or -1 otherwise. */ 589 extern int selinux_check_passwd_access(access_vector_t requested); 590 extern int checkPasswdAccess(access_vector_t requested); 591 592 /* Check if the tty_context is defined as a securetty 593 Return 0 if secure, < 0 otherwise. */ 594 extern int selinux_check_securetty_context(const char * tty_context); 595 596 /* Set the path to the selinuxfs mount point explicitly. 597 Normally, this is determined automatically during libselinux 598 initialization, but this is not always possible, e.g. for /sbin/init 599 which performs the initial mount of selinuxfs. */ 600 void set_selinuxmnt(const char *mnt); 601 602 /* Check if selinuxfs exists as a kernel filesystem */ 603 int selinuxfs_exists(void); 604 605 /* clear selinuxmnt variable and free allocated memory */ 606 void fini_selinuxmnt(void); 607 608 /* Set an appropriate security context based on the filename of a helper 609 * program, falling back to a new context with the specified type. */ 610 extern int setexecfilecon(const char *filename, const char *fallback_type); 611 612 #ifndef DISABLE_RPM 613 /* Execute a helper for rpm in an appropriate security context. */ 614 extern int rpm_execcon(unsigned int verified, 615 const char *filename, 616 char *const argv[], char *const envp[]); 617 #endif 618 619 /* Returns whether a file context is customizable, and should not 620 be relabeled . */ 621 extern int is_context_customizable(const char * scontext); 622 623 /* Perform context translation between the human-readable format 624 ("translated") and the internal system format ("raw"). 625 Caller must free the resulting context via freecon. 626 Returns -1 upon an error or 0 otherwise. 627 If passed NULL, sets the returned context to NULL and returns 0. */ 628 extern int selinux_trans_to_raw_context(const char * trans, 629 char ** rawp); 630 extern int selinux_raw_to_trans_context(const char * raw, 631 char ** transp); 632 633 /* Perform context translation between security contexts 634 and display colors. Returns a space-separated list of ten 635 ten hex RGB triples prefixed by hash marks, e.g. "#ff0000". 636 Caller must free the resulting string via free. 637 Returns -1 upon an error or 0 otherwise. */ 638 extern int selinux_raw_context_to_color(const char * raw, 639 char **color_str); 640 641 /* Get the SELinux username and level to use for a given Linux username. 642 These values may then be passed into the get_ordered_context_list* 643 and get_default_context* functions to obtain a context for the user. 644 Returns 0 on success or -1 otherwise. 645 Caller must free the returned strings via free. */ 646 extern int getseuserbyname(const char *linuxuser, char **seuser, char **level); 647 648 /* Get the SELinux username and level to use for a given Linux username and service. 649 These values may then be passed into the get_ordered_context_list* 650 and get_default_context* functions to obtain a context for the user. 651 Returns 0 on success or -1 otherwise. 652 Caller must free the returned strings via free. */ 653 extern int getseuser(const char *username, const char *service, 654 char **r_seuser, char **r_level); 655 656 /* Compare two file contexts, return 0 if equivalent. */ 657 extern int selinux_file_context_cmp(const char * a, 658 const char * b); 659 660 /* 661 * Verify the context of the file 'path' against policy. 662 * Return 1 if match, 0 if not and -1 on error. 663 */ 664 extern int selinux_file_context_verify(const char *path, mode_t mode); 665 666 /* This function sets the file context on to the system defaults returns 0 on success */ 667 extern int selinux_lsetfilecon_default(const char *path); 668 669 /* 670 * Force a reset of the loaded configuration 671 * WARNING: This is not thread safe. Be very sure that no other threads 672 * are calling into libselinux when this is called. 673 */ 674 extern void selinux_reset_config(void); 675 676 #ifdef __cplusplus 677 } 678 #endif 679 #endif 680