SELinux policy management

SELinux policy management — Read SELinux policy and manage filesystem labels

Functions

OstreeSePolicy * ostree_sepolicy_new ()
OstreeSePolicy * ostree_sepolicy_new_at ()
OstreeSePolicy * ostree_sepolicy_new_from_commit ()
GFile * ostree_sepolicy_get_path ()
const char * ostree_sepolicy_get_name ()
gboolean ostree_sepolicy_get_label ()
const char * ostree_sepolicy_get_csum ()
gboolean ostree_sepolicy_restorecon ()
gboolean ostree_sepolicy_setfscreatecon ()
void ostree_sepolicy_fscreatecon_cleanup ()

Types and Values

typedef OstreeSePolicy
enum OstreeSePolicyRestoreconFlags

Description

A OstreeSePolicy object can load the SELinux policy from a given root and perform labeling.

Functions

ostree_sepolicy_new ()

OstreeSePolicy *
ostree_sepolicy_new (GFile *path,
                     GCancellable *cancellable,
                     GError **error);

Parameters

path

Path to a root directory

  

cancellable

Cancellable

  

error

Error

  

Returns

An accessor object for SELinux policy in root located at path .

[transfer full]

ostree_sepolicy_new_at ()

OstreeSePolicy *
ostree_sepolicy_new_at (int rootfs_dfd,
                        GCancellable *cancellable,
                        GError **error);

Parameters

rootfs_dfd

Directory fd for rootfs (will not be cloned)

  

cancellable

Cancellable

  

error

Error

  

Returns

An accessor object for SELinux policy in root located at rootfs_dfd .

[transfer full]

Since: 2017.4

ostree_sepolicy_new_from_commit ()

OstreeSePolicy *
ostree_sepolicy_new_from_commit (OstreeRepo *repo,
                                 const char *rev,
                                 GCancellable *cancellable,
                                 GError **error);

Extract the SELinux policy from a commit object via a partial checkout. This is useful for labeling derived content as separate commits.

This function is the backend of ostree_repo_commit_modifier_set_sepolicy_from_commit().

Parameters

repo

The repo

  

rev

ostree ref or checksum

  

cancellable

Cancellable

  

error

Error

  

Returns

A new policy.

[transfer full]

ostree_sepolicy_get_path ()

GFile *
ostree_sepolicy_get_path (OstreeSePolicy *self);

This API should be considered deprecated, because it's supported for policy objects to be created from file-descriptor relative paths, which may not be globally accessible.

Parameters

self

A SePolicy object

  

Returns

Path to rootfs.

[transfer none][nullable]

ostree_sepolicy_get_name ()

const char *
ostree_sepolicy_get_name (OstreeSePolicy *self);

Returns

Type of current policy.

[transfer none][nullable]

ostree_sepolicy_get_label ()

gboolean
ostree_sepolicy_get_label (OstreeSePolicy *self,
                           const char *relpath,
                           guint32 unix_mode,
                           char **out_label,
                           GCancellable *cancellable,
                           GError **error);

Store in out_label the security context for the given relpath and mode unix_mode . If the policy does not specify a label, NULL will be returned.

Parameters

self

Self

  

relpath

Path

  

unix_mode

Unix mode

  

out_label

Return location for security context.

[nullable][out][transfer full]

cancellable

Cancellable

  

error

Error

  

ostree_sepolicy_get_csum ()

const char *
ostree_sepolicy_get_csum (OstreeSePolicy *self);

Returns

Checksum of current policy.

[transfer none][nullable]

Since: 2016.5

ostree_sepolicy_restorecon ()

gboolean
ostree_sepolicy_restorecon (OstreeSePolicy *self,
                            const char *path,
                            GFileInfo *info,
                            GFile *target,
                            OstreeSePolicyRestoreconFlags flags,
                            char **out_new_label,
                            GCancellable *cancellable,
                            GError **error);

Reset the security context of target based on the SELinux policy.

Parameters

self

Self

  

path

Path string to use for policy lookup

  

info

File attributes.

[nullable]

target

Physical path to target file

  

flags

Flags controlling behavior

  

out_new_label

New label, or NULL if unchanged.

[nullable][optional][out]

cancellable

Cancellable

  

error

Error

  

ostree_sepolicy_setfscreatecon ()

gboolean
ostree_sepolicy_setfscreatecon (OstreeSePolicy *self,
                                const char *path,
                                guint32 mode,
                                GError **error);

Parameters

self

Policy

  

path

Use this path to determine a label

  

mode

Used along with path

 

error

Error

  

ostree_sepolicy_fscreatecon_cleanup ()

void
ostree_sepolicy_fscreatecon_cleanup (void **unused);

Cleanup function for ostree_sepolicy_setfscreatecon().

Parameters

unused

Not used, just in case you didn't infer that from the parameter name

  

Types and Values

OstreeSePolicy

typedef struct OstreeSePolicy OstreeSePolicy;

enum OstreeSePolicyRestoreconFlags

Members

OSTREE_SEPOLICY_RESTORECON_FLAGS_NONE

    

OSTREE_SEPOLICY_RESTORECON_FLAGS_ALLOW_NOLABEL

    

OSTREE_SEPOLICY_RESTORECON_FLAGS_KEEP_EXISTING

    
Generated by GTK-Doc V1.34.0