man-pages/man3/security_compute_av.3.html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML><HEAD><TITLE>Man page of security_compute_av</TITLE>
</HEAD><BODY>
<H1>security_compute_av</H1>
Section: SELinux API documentation (3)<BR>Updated: 1 January 2004<BR><A HREF="#index">Index</A>
<A HREF="/cgi-bin/man/man2html">Return to Main Contents</A><HR>

<A NAME="lbAB">&nbsp;</A>
<H2>NAME</H2>

security_compute_av, security_compute_av_flags, security_compute_create, security_compute_create_name, security_compute_relabel,
security_compute_member, security_compute_user, security_validatetrans, security_get_initial_context - query
the SELinux policy database in the kernel
<A NAME="lbAC">&nbsp;</A>
<H2>SYNOPSIS</H2>

<B>#include &lt;<A HREF="file:///usr/include/selinux/selinux.h">selinux/selinux.h</A>&gt;</B>

<P>
<B>int security_compute_av(char *</B><I>scon</I><B>, char *</B><I>tcon</I><B>, security_class_t tclass</B><I>, access_vector_t requested</I><B>, struct av_decision *</B><I>avd</I><B>);</B>

<P>
<B>int security_compute_av_raw(char *</B><I>scon</I><B>, char *</B><I>tcon</I><B>, security_class_t tclass</B><I>, access_vector_t requested</I><B>, struct av_decision *</B><I>avd</I><B>);</B>

<P>
<B>int security_compute_av_flags(char *</B><I>scon</I><B>, char *</B><I>tcon</I><B>, security_class_t tclass</B><I>, access_vector_t requested</I><B>, struct av_decision *</B><I>avd</I><B>);</B>

<P>
<B>int security_compute_av_flags_raw(char *</B><I>scon</I><B>, char *</B><I>tcon</I><B>, security_class_t tclass</B><I>, access_vector_t requested</I><B>, struct av_decision *</B><I>avd</I><B>);</B>

<P>
<B>int security_compute_create(char *</B><I>scon</I><B>, char *</B><I>tcon</I><B>, security_class_t tclass</B><I>, char **</I><B>newcon</B><I>);</I>

<P>
<B>int security_compute_create_raw(char *</B><I>scon</I><B>, char *</B><I>tcon</I><B>, security_class_t tclass</B><I>, char **</I><B>newcon</B><I>);</I>

<P>
<B>int security_compute_create_name(char *</B><I>scon</I><B>, char *</B><I>tcon</I><B>, security_class_t tclass</B><I>, const char *</I><B>objname</B><I>, char **</I><B>newcon</B><I>);</I>

<P>
<B>int security_compute_create_name_raw(char *</B><I>scon</I><B>, char *</B><I>tcon</I><B>, security_class_t tclass</B><I>, const char *</I><B>objname</B><I>, char **</I><B>newcon</B><I>);</I>

<P>
<B>int security_compute_relabel(char *</B><I>scon</I><B>, char *</B><I>tcon</I><B>, security_class_t tclass</B><I>, char **</I><B>newcon</B><I>);</I>

<P>
<B>int security_compute_relabel_raw(char *</B><I>scon</I><B>, char *</B><I>tcon</I><B>, security_class_t tclass</B><I>, char **</I><B>newcon</B><I>);</I>

<P>
<B>int security_compute_member(char *</B><I>scon</I><B>, char *</B><I>tcon</I><B>, security_class_t tclass</B><I>, char **</I><B>newcon</B><I>);</I>

<P>
<B>int security_compute_member_raw(char *</B><I>scon</I><B>, char *</B><I>tcon</I><B>, security_class_t tclass</B><I>, char **</I><B>newcon</B><I>);</I>

<P>
<B>int security_compute_user(char *</B><I>scon</I><B>, const char *</B><I>username</I><B>, char ***</B><I>con</I><B>);</B>

<P>
<B>int security_compute_user_raw(char *</B><I>scon</I><B>, const char *</B><I>username</I><B>, char ***</B><I>con</I><B>);</B>

<P>
<B>int security_validatetrans(char *</B><I>scon</I><B>, const char *</B><I>tcon</I><B>, security_class_t tclass</B><I>, char *</I><B>newcon</B><I>);</I>

<P>
<B>int security_validatetrans_raw(char *</B><I>scon</I><B>, const char *</B><I>tcon</I><B>, security_class_t tclass</B><I>, char *</I><B>newcon</B><I>);</I>

<P>
<B>int security_get_initial_context(const char *</B><I>name</I><B>, char **</B><I>con</I><B>);</B>

<P>
<B>int security_get_initial_context_raw(const char *</B><I>name</I><B>, char **</B><I>con</I><B>);</B>

<P>
<B>int selinux_check_access(const char *</B><I>scon</I><B>, const char *</B><I>tcon</I><B>, const char *</B><I>class</I><B>, const char *</B><I>perm</I><B>, void *</B><I>auditdata);</I>

<P>
<B>int selinux_check_passwd_access(access_vector_t </B><I>requested</I><B>);</B>

<P>
<B>int checkPasswdAccess(access_vector_t </B><I>requested</I><B>);</B>

<A NAME="lbAD">&nbsp;</A>
<H2>DESCRIPTION</H2>

<B>security_compute_av</B>()

queries whether the policy permits the source context
<I>scon</I>

to access the target context
<I>tcon</I>

via class
<I>tclass</I>

with the
<I>requested</I>

access vector.  The decision is returned in
<I>avd</I>.

<P>
<B>security_compute_av_flags</B>()

is identical to
<B>security_compute_av</B>

but additionally sets the
<I>flags</I>

field of
<I>avd</I>.

Currently one flag is supported:
<B>SELINUX_AVD_FLAGS_PERMISSIVE</B>,

which indicates the decision is computed on a permissive domain.
<P>
<B>security_compute_create</B>()

is used to compute a context to use for labeling a new object in a particular
class based on a SID pair.
<P>
<B>security_compute_create_name</B>()

is identical to
<B>security_compute_create</B>()

but also takes name of the new object in creation as an argument.
When
<B>TYPE_TRANSITION</B>

rule on the given class and a SID pair has object name extension,
we shall be able to obtain a correct
<I>newcon</I>

according to the security policy. Note that this interface is only
supported on the linux 2.6.40 or later.
In the older kernel, the object name will be simply ignored.
<P>
<B>security_compute_relabel</B>()

is used to compute the new context to use when relabeling an object, it is used
in the pam_selinux.so source and the newrole source to determine the correct
label for the tty at login time, but can be used for other things.
<P>
<B>security_compute_member</B>()

is used to compute the context to use when labeling a polyinstantiated object
instance.
<P>
<B>security_compute_user</B>()

is used to determine the set of user contexts that can be reached from a
source context. It is mainly used by
<B>get_ordered_context_list</B>().

<P>
<B>security_validatetrans</B>()

is used to determine if a transition from scon to newcon using tcon as the object
is valid for object class tclass. This checks against the mlsvalidatetrans and
validatetrans constraints in the loaded policy. Returns 0 if allowed, and -1
if an error occurred with errno set.
<P>
<B>security_get_initial_context</B>()

is used to get the context of a kernel initial security identifier specified by 
<I>name</I>

<P>
<B>security_compute_av_raw</B>(),

<B>security_compute_av_flags_raw</B>(),

<B>security_compute_create_raw</B>(),

<B>security_compute_create_name_raw</B>(),

<B>security_compute_relabel_raw</B>(),

<B>security_compute_member_raw</B>(),

<B>security_compute_user_raw</B>()

<B>security_validatetrans_raw</B>()

and
<B>security_get_initial_context_raw</B>()

behave identically to their non-raw counterparts but do not perform context
translation.
<P>
<B>selinux_check_access</B>()

is used to check if the source context has the access permission for the specified class on the target context.
<P>
<B>selinux_check_passwd_access</B>()

is used to check for a permission in the
<I>passwd</I>

class.
<B>selinux_check_passwd_access</B>()

uses getprevcon() for the source and target security contexts.
<P>
<B>checkPasswdAccess</B>()

is a deprecated alias of the
<B>selinux_check_passwd_access</B>()

function.
<A NAME="lbAE">&nbsp;</A>
<H2>RETURN VALUE</H2>

Returns zero on success or -1 on error.
<A NAME="lbAF">&nbsp;</A>
<H2>SEE ALSO</H2>

<B><A HREF="/cgi-bin/man/man2html?8+selinux">selinux</A></B>(8), <B><A HREF="/cgi-bin/man/man2html?3+getcon">getcon</A></B>(3), <B><A HREF="/cgi-bin/man/man2html?3+getfilecon">getfilecon</A></B>(3), <B><A HREF="/cgi-bin/man/man2html?3+get_ordered_context_list">get_ordered_context_list</A></B>(3)

<P>

<HR>
<A NAME="index">&nbsp;</A><H2>Index</H2>
<DL>
<DT id="1"><A HREF="#lbAB">NAME</A><DD>
<DT id="2"><A HREF="#lbAC">SYNOPSIS</A><DD>
<DT id="3"><A HREF="#lbAD">DESCRIPTION</A><DD>
<DT id="4"><A HREF="#lbAE">RETURN VALUE</A><DD>
<DT id="5"><A HREF="#lbAF">SEE ALSO</A><DD>
</DL>
<HR>
This document was created by
<A HREF="/cgi-bin/man/man2html">man2html</A>,
using the manual pages.<BR>
Time: 00:05:56 GMT, March 31, 2021
</BODY>
</HTML>