|
HTML rendering created 2025-09-06 by Michael Kerrisk, author of The Linux Programming Interface. For details of in-depth Linux/UNIX system programming training courses that I teach, look here. Hosting by jambit GmbH. |
|
|
NAME | SYNOPSIS | DESCRIPTION | RETURN VALUE | ERRORS | EXAMPLE | AUTHOR | SEE ALSO | COLOPHON |
|
|
|
selinux_set_mapping(3) SELinux API documentation selinux_set_mapping(3)
selinux_set_mapping - establish dynamic object class and
permission mapping
#include <selinux/selinux.h>
struct security_class_mapping {
const char *name;
const char *perms[];
};
int selinux_set_mapping(const struct security_class_mapping *map);
selinux_set_mapping() establishes a mapping from a user-provided
ordering of object classes and permissions to the numbers actually
used by the loaded system policy. If using this function,
applications should also set a SELINUX_CB_POLICYLOAD callback via
selinux_set_callback(3) that calls this function again upon a
policy reload to re-create the mapping in case the class or
permission values change in the new policy. Generally it is
preferred to instead use selinux_check_access(3) instead of
avc_has_perm(3) or security_compute_av(3) and not use this
function at all.
After the mapping is established, all libselinux functions that
operate on class and permission values take the user-provided
numbers, which are determined as follows:
The map argument consists of an array of security_class_mapping
structures, which must be terminated by a structure having a NULL
name field. Except for this last structure, the name field should
refer to the string name of an object class, and the corresponding
perms field should refer to an array of permission bit names
terminated by a NULL string.
The object classes named in the mapping and the bit indexes of
each set of permission bits named in the mapping are numbered in
order starting from 1. These numbers are the values that should
be passed to subsequent libselinux calls.
Zero is returned on success. On error, -1 is returned and errno
is set appropriately.
EINVAL One of the class or permission names requested in the
mapping is not present in the loaded policy.
ENOMEM An attempt to allocate memory failed.
struct security_class_mapping map[] = {
{ "file", { "create", "unlink", "read", "write", NULL } },
{ "socket", { "bind", NULL } },
{ "process", { "signal", NULL } },
{ NULL }
};
if (selinux_set_mapping(map) < 0)
exit(1);
In this example, after the call has succeeded, classes file,
socket, and process will be identified by 1, 2 and 3,
respectively. Permissions create, unlink, read, and write (for
the file class) will be identified by 1, 2, 4, and 8 respectively.
Classes and permissions not listed in the mapping cannot be used.
Originally Eamon Walsh. Updated by Stephen Smalley
<[email protected]>
selinux_check_access(3), selinux_set_callback(3), avc_has_perm(3),
selinux(8)
This page is part of the selinux (Security-Enhanced Linux user-
space libraries and tools) project. Information about the project
can be found at ⟨https://github.com/SELinuxProject/selinux/wiki⟩.
If you have a bug report for this manual page, see
⟨https://github.com/SELinuxProject/selinux/wiki/Contributing⟩.
This page was obtained from the project's upstream Git repository
⟨https://github.com/SELinuxProject/selinux⟩ on 2025-08-11. (At
that time, the date of the most recent commit that was found in
the repository was 2025-08-04.) If you discover any rendering
problems in this HTML version of the page, or you believe there is
a better or more up-to-date source for the page, or you have
corrections or improvements to the information in this COLOPHON
(which is not part of the original manual page), send a mail to
[email protected]
12 Jun 2008 selinux_set_mapping(3)
Pages that refer to this page: avc_has_perm(3), security_compute_av(3)
|
HTML rendering created 2025-09-06 by Michael Kerrisk, author of The Linux Programming Interface. For details of in-depth Linux/UNIX system programming training courses that I teach, look here. Hosting by jambit GmbH. |
|