selinux_set_mapping(category10-web-server.html) - phpMan

selinux_set_mapping(3)     SELinux API documentation    selinux_set_mapping(3)

NAME
       selinux_set_mapping  -  establish  dynamic  object class and permission
       mapping
SYNOPSIS
       #include <selinux/selinux.h>
       struct security_class_mapping {
            const char *name;
            const char *perms[];
       };
       int selinux_set_mapping(struct security_class_mapping *map);
DESCRIPTION
       selinux_set_mapping() establishes a mapping from a user-provided order-
       ing  of  object classes and permissions to the numbers actually used by
       the loaded system policy.  Use of this  function  is  highly  preferred
       over  the  generated  constants in the libselinux header files, as this
       method allows the policy's class and permission values to  change  over
       time.
       After the mapping is established, all libselinux functions that operate
       on class and permission values take the  user-provided  numbers,  which
       are determined as follows:
       The  map argument consists of an array of security_class_mapping struc-
       tures, which must be terminated by  a  structure  having  a  NULL  name
       field.   Except for this last structure, the name field should refer to
       the string name of an object class, and the corresponding  perms  field
       should  refer  to an array of permission bit names terminated by a NULL
       string.
       The object classes named in the mapping and the bit indexes of each set
       of  permission bits named in the mapping are numbered in order starting
       from 1.  These numbers are the values that should be passed  to  subse-
       quent libselinux calls.
RETURN VALUE
       Zero is returned on success.  On error, -1 is returned and errno is set
       appropriately.
ERRORS
       EINVAL One of the class or permission names requested in the mapping is
              not present in the loaded policy.
       ENOMEM An attempt to allocate memory failed.
EXAMPLE
              struct security_class_mapping map[] = {
                  { "file", { "create", "unlink", "read", "write", NULL } },
                  { "socket", { "bind", NULL } },
                  { "process", { "signal", NULL } },
                  { NULL }
              };
              if (selinux_set_mapping(map) < 0)
                  exit(1);
       In  this  example,  after the call has succeeded, classes file, socket,
       and process will be identified by 1, 2 and  3,  respectively.   Permis-
       sions  create,  unlink,  read,  and  write (for the file class) will be
       identified by 1, 2, 4, and 8 respectively.  Classes and permissions not
       listed in the mapping cannot be used.
AUTHOR
       Eamon Walsh <ewalsh AT tycho.gov>
SEE ALSO
       avc_open(8), selinux(8)

                                  12 Jun 2008           selinux_set_mapping(3)