RepoMirrors/selinux
1
0
Fork 0
mirror of https://github.com/SELinuxProject/selinux synced 2025-01-02 03:32:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

libselinux: Add security_reject_unknown(3) man page

Browse Source 
Commit c19395d722 ("libselinux: selinux_set_mapping: fix handling of unknown
classes/perms") added a new interface security_reject_unknown() which needs to
be documented.

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
This commit is contained in:
Petr Lautrbach 2019-03-06 13:58:15 +01:00 committed by Stephen Smalley
parent ee1809f453
commit 486aa7d991
2 changed files with 20 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
libselinux/man/man3/security_getenforce.3
View File

@ -1,6 +1,7 @@
.TH "security_getenforce" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation"
.SH "NAME"
security_getenforce, security_setenforce, security_deny_unknown, security_get_checkreqprot\- get or set the enforcing state of SELinux
security_getenforce, security_setenforce, security_deny_unknown, security_reject_unknown,
security_get_checkreqprot \- get or set the enforcing state of SELinux
.
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
@ -11,6 +12,8 @@ security_getenforce, security_setenforce, security_deny_unknown, security_get_ch
.sp
.B int security_deny_unknown(void);
.sp
.B int security_reject_unknown(void);
.sp
.B int security_get_checkreqprot(void);
.
.SH "DESCRIPTION"
@ -27,6 +30,21 @@ returned.
returns 0 if SELinux treats policy queries on undefined object classes or
permissions as being allowed, 1 if such queries are denied, and \-1 on error.
.BR security_reject_unknown ()
returns 1 if the current policy was built with handle-unknown=reject and SELinux
would reject loading it, if it did not define all kernel object classes and
permissions. In this state, when
.BR selinux_set_mapping()
and
.BR selinux_check_access()
are used with an undefined userspace class or permission, an error is returned
and errno is set to EINVAL.
It returns 0 if the current policy was built with handle-unknown=allow or
handle-unknown=deny. In this state, policy queries are treated according to
.BR security_deny_unknown().
\-1 is returned on error.
.BR security_get_checkreqprot ()
can be used to determine whether SELinux is configured to check the
protection requested by the application or the actual protection that will

1
libselinux/man/man3/security_reject_unknown.3 Normal file
View File

@ -0,0 +1 @@
.so man3/security_getenforce.3