avc_open, avc_destroy, avc_reset, avc_cleanup - userspace SELinux AVC setup and teardown.
int avc_open(struct selinux_opt *options, unsigned nopt);
avc_open initializes the userspace AVC and must be called before any other AVC operation can be performed.
avc_destroy destroys the userspace AVC, freeing all internal memory structures. After this call has been made, avc_open must be called again before any AVC operations can be performed.
avc_reset flushes the userspace AVC, causing it to forget any cached access decisions. The userspace AVC normally calls this function automatically when needed, see NETLINK NOTIFICATION below.
avc_cleanup forces the userspace AVC to search for and free all unused SIDs and any access decision entries that refer to them. Normally, the userspace AVC lazily reclaims unused SIDs.
The userspace AVC obeys callbacks set via selinux_set_callback(3), in particular the logging and audit callbacks.
The options which may be passed to avc_open include the following:
AVC_OPT_SETENFORCE This option forces the userspace AVC into enforcing mode if the option value is non-NULL; permissive mode otherwise. The system enforcing mode will be ignored.
Beginning with version 2.6.4, the Linux kernel supports SELinux status change notification via netlink. Two message types are currently implemented, indicating changes to the enforcing mode and to the loaded policy in the kernel, respectively. The userspace AVC listens for these messages and takes the appropriate action, modifying the behavior of avc_has_perm(3) to reflect the current enforcing mode and flushing the cache on receipt of a policy load notification. Audit messages are produced when netlink notifications are processed.
Functions with a return value return zero on success. On error, -1 is returned and errno is set appropriately.
Eamon Walsh <email@example.com>
selinux(8), avc_has_perm(3), avc_context_to_sid(3), avc_cache_stats(3), avc_add_callback(3), selinux_set_callback(3), security_compute_av(3)
|avc_open (3)||12 Jun 2008|