avc_open(3) — Linux manual page
avc_open(3) SELinux API documentation avc_open(3)
NAME
avc_open, avc_destroy, avc_reset, avc_cleanup - userspace SELinux
AVC setup and teardown
SYNOPSIS
#include <selinux/selinux.h>
#include <selinux/avc.h>
int avc_open(struct selinux_opt *options, unsigned nopt);
void avc_destroy(void);
int avc_reset(void);
void avc_cleanup(void);
DESCRIPTION
avc_open() initializes the userspace AVC and must be called
before any other AVC operation can be performed.
avc_destroy() destroys the userspace AVC, freeing all internal
memory structures. After this call has been made, avc_open()
must be called again before any AVC operations can be performed.
avc_destroy() also closes the SELinux status page, which might
have been opened manually by selinux_status_open(3).
avc_reset() flushes the userspace AVC, causing it to forget any
cached access decisions. The userspace AVC normally calls this
function automatically when needed, see NETLINK NOTIFICATION
below.
avc_cleanup() attempts to free unused memory within the userspace
AVC, but does not flush any cached access decisions. Under
normal operation, calling this function should not be necessary.
OPTIONS
The userspace AVC obeys callbacks set via
selinux_set_callback(3), in particular the logging and audit
callbacks.
The options which may be passed to avc_open() include the
following:
AVC_OPT_SETENFORCE
This option forces the userspace AVC into enforcing mode
if the option value is non-NULL; permissive mode
otherwise. The system enforcing mode will be ignored.
KERNEL STATUS PAGE
Linux kernel version 2.6.37 supports the SELinux kernel status
page, enabling userspace applications to mmap(2) SELinux status
state in read-only mode to avoid system calls during the cache
hit code path.
avc_open() calls selinux_status_open(3) to initialize the selinux
status state.
avc_has_perm(3) and selinux_check_access(3) both check for status
updates through calls to selinux_status_updated(3) at the start
of each permission query and take the appropriate action.
Two status types are currently implemented. setenforce events
will change the effective enforcing state used within the AVC,
and policyload events will result in a cache flush.
NETLINK NOTIFICATION
In the event that the kernel status page is not successfully
mmap(2)'ed the AVC will default to the netlink fallback
mechanism, which opens a netlink socket for receiving status
updates. setenforce and policyload events will have the same
results as for the status page implementation, but all status
update checks will now require a system call.
RETURN VALUE
Functions with a return value return zero on success. On error,
-1 is returned and errno is set appropriately.
AUTHOR
Eamon Walsh <ewalsh@tycho.nsa.gov>
SEE ALSO
selinux(8), selinux_check_access(3), avc_has_perm(3),
avc_context_to_sid(3), avc_cache_stats(3), avc_add_callback(3),
selinux_status_open(3), selinux_status_updated(3),
selinux_set_callback(3), security_compute_av(3)
COLOPHON
This page is part of the selinux (Security-Enhanced Linux user-
space libraries and tools) project. Information about the
project can be found at
⟨https://github.com/SELinuxProject/selinux/wiki⟩. If you have a
bug report for this manual page, see
⟨https://github.com/SELinuxProject/selinux/wiki/Contributing⟩.
This page was obtained from the project's upstream Git repository
⟨https://github.com/SELinuxProject/selinux⟩ on 2024-06-14. (At
that time, the date of the most recent commit that was found in
the repository was 2023-05-11.) If you discover any rendering
problems in this HTML version of the page, or you believe there
is a better or more up-to-date source for the page, or you have
corrections or improvements to the information in this COLOPHON
(which is not part of the original manual page), send a mail to
man-pages@man7.org
12 Jun 2008 avc_open(3)
Pages that refer to this page: avc_add_callback(3), avc_context_to_sid(3), avc_init(3), avc_netlink_loop(3)