NAME<\/a> avc_open, avc_destroy, avc_reset, avc_cleanup \u2212 userspace SELinux AVC setup and teardown<\/p>\n #include int avc_open(struct selinux_opt *<\/b>options<\/i>, unsigned<\/b> nopt<\/i>);<\/b><\/p>\n void avc_destroy(void);<\/b><\/p>\n int avc_reset(void);<\/b><\/p>\n void avc_cleanup(void);<\/b><\/p>\n avc_open<\/b>() initializes the userspace AVC and must be called before any other AVC operation can be performed.<\/p>\n avc_destroy<\/b>() destroys the userspace AVC, freeing all internal memory structures. After this call has been made, avc_open<\/b>() must be called again before any AVC operations can be performed.<\/p>\n avc_reset<\/b>() flushes the userspace AVC, causing it to forget any cached access decisions. The userspace AVC normally calls this function automatically when needed, see NETLINK NOTIFICATION<\/b> below.<\/p>\n avc_cleanup<\/b>() attempts to free unused memory within the userspace AVC, but does not flush any cached access decisions. Under normal operation, calling this function should not be necessary.<\/p>\n The userspace AVC obeys callbacks set via selinux_set_callback<\/b>(3), in particular the logging and audit callbacks.<\/p>\n The options which may be passed to avc_open<\/b>() include the following: This option forces the userspace AVC into enforcing mode if the option value is non-NULL; permissive mode otherwise. The system enforcing mode will be ignored.<\/p>\n Linux kernel version 2.6.37 supports the SELinux kernel status page, enabling userspace applications to mmap<\/b>(2) SELinux status state in read-only mode to avoid system calls during the cache hit code path.<\/p>\n avc_open<\/b>() calls selinux_status_open<\/b>(3) to initialize the selinux status state.<\/p>\n avc_has_perm<\/b>(3) and selinux_check_access<\/b>(3) both check for status updates through calls to selinux_status_updated<\/b>(3) at the start of each permission query and take the appropriate action.<\/p>\n Two status types are currently implemented. setenforce<\/b> events will change the effective enforcing state used within the AVC, and policyload<\/b> events will result in a cache flush.<\/p>\n In the event that the kernel status page is not successfully mmap<\/b>(2)\u2019ed the AVC will default to the netlink fallback mechanism, which opens a netlink socket for receiving status updates. setenforce<\/b> and policyload<\/b> events will have the same results as for the status page implementation, but all status update checks will now require a system call.<\/p>\n Functions with a return value return zero on success. On error, \u22121 is returned and errno<\/i> is set appropriately.<\/p>\n
SYNOPSIS<\/a>
DESCRIPTION<\/a>
OPTIONS<\/a>
KERNEL STATUS PAGE<\/a>
NETLINK NOTIFICATION<\/a>
RETURN VALUE<\/a>
AUTHOR<\/a>
SEE ALSO<\/a> <\/p>\n
\nNAME <\/a> <\/h2>\n
SYNOPSIS <\/a> <\/h2>\n
#include DESCRIPTION <\/a> <\/h2>\n
OPTIONS <\/a> <\/h2>\n
AVC_OPT_SETENFORCE<\/b><\/p>\nKERNEL STATUS PAGE <\/a> <\/h2>\n
NETLINK NOTIFICATION <\/a> <\/h2>\n
RETURN VALUE <\/a> <\/h2>\n
AUTHOR <\/a> <\/h2>\n