security_reject_unknown(images) - phpMan

security_getenforce(3)     SELinux API documentation    security_getenforce(3)
NAME
       security_getenforce,  security_setenforce, security_deny_unknown, secu-
       rity_reject_unknown, security_get_checkreqprot - get or set the enforc-
       ing state of SELinux
SYNOPSIS
       #include <selinux/selinux.h>
       int security_getenforce(void);
       int security_setenforce(int value);
       int security_deny_unknown(void);
       int security_reject_unknown(void);
       int security_get_checkreqprot(void);
DESCRIPTION
       security_getenforce()  returns  0  if  SELinux is running in permissive
       mode, 1 if it is running in enforcing mode, and -1 on error.
       security_setenforce() sets SELinux to enforcing mode if the value 1  is
       passed  in,  and sets it to permissive mode if 0 is passed in.  On suc-
       cess 0 is returned, on error -1 is returned.
       security_deny_unknown() returns 0 if SELinux treats policy  queries  on
       undefined  object  classes  or  permissions as being allowed, 1 if such
       queries are denied, and -1 on error.
       security_reject_unknown() returns 1 if the  current  policy  was  built
       with  handle-unknown=reject  and SELinux would reject loading it, if it
       did not define all kernel  object  classes  and  permissions.  In  this
       state,  when  selinux_set_mapping() and selinux_check_access() are used
       with an undefined userspace class or permission, an error  is  returned
       and errno is set to EINVAL.
       It  returns 0 if the current policy was built with handle-unknown=allow
       or handle-unknown=deny. In  this  state,  policy  queries  are  treated
       according to security_deny_unknown().  -1 is returned on error.
       security_get_checkreqprot() can be used to determine whether SELinux is
       configured to check the protection requested by the application or  the
       actual  protection  that  will  be applied by the kernel (including the
       effects of READ_IMPLIES_EXEC) on mmap and mprotect calls.  It returns 0
       if  SELinux  checks the actual protection, 1 if it checks the requested
       protection, and -1 on error.
SEE ALSO
       selinux(8)
russell AT coker.au            1 January 2004          security_getenforce(3)