| Message ID | 20190306125814.22023-1-plautrba@redhat.com (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [v3] libselinux: Add security_reject_unknown(3) man page | expand |
On 3/6/19 7:58 AM, Petr Lautrbach wrote: > Commit c19395d72295 ("libselinux: selinux_set_mapping: fix handling of unknown > classes/perms") added a new interface security_reject_unknown() which needs to > be documented. > > Signed-off-by: Petr Lautrbach <plautrba@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> > --- > libselinux/man/man3/security_getenforce.3 | 20 ++++++++++++++++++- > libselinux/man/man3/security_reject_unknown.3 | 1 + > 2 files changed, 20 insertions(+), 1 deletion(-) > create mode 100644 libselinux/man/man3/security_reject_unknown.3 > > diff --git a/libselinux/man/man3/security_getenforce.3 b/libselinux/man/man3/security_getenforce.3 > index 29cf3de7..f339b8b0 100644 > --- a/libselinux/man/man3/security_getenforce.3 > +++ b/libselinux/man/man3/security_getenforce.3 > @@ -1,6 +1,7 @@ > .TH "security_getenforce" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation" > .SH "NAME" > -security_getenforce, security_setenforce, security_deny_unknown, security_get_checkreqprot\- get or set the enforcing state of SELinux > +security_getenforce, security_setenforce, security_deny_unknown, security_reject_unknown, > +security_get_checkreqprot \- get or set the enforcing state of SELinux > . > .SH "SYNOPSIS" > .B #include <selinux/selinux.h> > @@ -11,6 +12,8 @@ security_getenforce, security_setenforce, security_deny_unknown, security_get_ch > .sp > .B int security_deny_unknown(void); > .sp > +.B int security_reject_unknown(void); > +.sp > .B int security_get_checkreqprot(void); > . > .SH "DESCRIPTION" > @@ -27,6 +30,21 @@ returned. > returns 0 if SELinux treats policy queries on undefined object classes or > permissions as being allowed, 1 if such queries are denied, and \-1 on error. > > +.BR security_reject_unknown () > +returns 1 if the current policy was built with handle-unknown=reject and SELinux > +would reject loading it, if it did not define all kernel object classes and > +permissions. In this state, when > +.BR selinux_set_mapping() > +and > +.BR selinux_check_access() > +are used with an undefined userspace class or permission, an error is returned > +and errno is set to EINVAL. > + > +It returns 0 if the current policy was built with handle-unknown=allow or > +handle-unknown=deny. In this state, policy queries are treated according to > +.BR security_deny_unknown(). > +\-1 is returned on error. > + > .BR security_get_checkreqprot () > can be used to determine whether SELinux is configured to check the > protection requested by the application or the actual protection that will > diff --git a/libselinux/man/man3/security_reject_unknown.3 b/libselinux/man/man3/security_reject_unknown.3 > new file mode 100644 > index 00000000..d59e5c2c > --- /dev/null > +++ b/libselinux/man/man3/security_reject_unknown.3 > @@ -0,0 +1 @@ > +.so man3/security_getenforce.3 >
On 3/6/19 8:26 AM, Stephen Smalley wrote: > On 3/6/19 7:58 AM, Petr Lautrbach wrote: >> Commit c19395d72295 ("libselinux: selinux_set_mapping: fix handling of >> unknown >> classes/perms") added a new interface security_reject_unknown() which >> needs to >> be documented. >> >> Signed-off-by: Petr Lautrbach <plautrba@redhat.com> > > Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Thanks, applied. > >> --- >> libselinux/man/man3/security_getenforce.3 | 20 ++++++++++++++++++- >> libselinux/man/man3/security_reject_unknown.3 | 1 + >> 2 files changed, 20 insertions(+), 1 deletion(-) >> create mode 100644 libselinux/man/man3/security_reject_unknown.3 >> >> diff --git a/libselinux/man/man3/security_getenforce.3 >> b/libselinux/man/man3/security_getenforce.3 >> index 29cf3de7..f339b8b0 100644 >> --- a/libselinux/man/man3/security_getenforce.3 >> +++ b/libselinux/man/man3/security_getenforce.3 >> @@ -1,6 +1,7 @@ >> .TH "security_getenforce" "3" "1 January 2004" >> "russell@coker.com.au" "SELinux API documentation" >> .SH "NAME" >> -security_getenforce, security_setenforce, security_deny_unknown, >> security_get_checkreqprot\- get or set the enforcing state of SELinux >> +security_getenforce, security_setenforce, security_deny_unknown, >> security_reject_unknown, >> +security_get_checkreqprot \- get or set the enforcing state of SELinux >> . >> .SH "SYNOPSIS" >> .B #include <selinux/selinux.h> >> @@ -11,6 +12,8 @@ security_getenforce, security_setenforce, >> security_deny_unknown, security_get_ch >> .sp >> .B int security_deny_unknown(void); >> .sp >> +.B int security_reject_unknown(void); >> +.sp >> .B int security_get_checkreqprot(void); >> . >> .SH "DESCRIPTION" >> @@ -27,6 +30,21 @@ returned. >> returns 0 if SELinux treats policy queries on undefined object >> classes or >> permissions as being allowed, 1 if such queries are denied, and \-1 >> on error. >> +.BR security_reject_unknown () >> +returns 1 if the current policy was built with handle-unknown=reject >> and SELinux >> +would reject loading it, if it did not define all kernel object >> classes and >> +permissions. In this state, when >> +.BR selinux_set_mapping() >> +and >> +.BR selinux_check_access() >> +are used with an undefined userspace class or permission, an error is >> returned >> +and errno is set to EINVAL. >> + >> +It returns 0 if the current policy was built with >> handle-unknown=allow or >> +handle-unknown=deny. In this state, policy queries are treated >> according to >> +.BR security_deny_unknown(). >> +\-1 is returned on error. >> + >> .BR security_get_checkreqprot () >> can be used to determine whether SELinux is configured to check the >> protection requested by the application or the actual protection >> that will >> diff --git a/libselinux/man/man3/security_reject_unknown.3 >> b/libselinux/man/man3/security_reject_unknown.3 >> new file mode 100644 >> index 00000000..d59e5c2c >> --- /dev/null >> +++ b/libselinux/man/man3/security_reject_unknown.3 >> @@ -0,0 +1 @@ >> +.so man3/security_getenforce.3 >> >
diff --git a/libselinux/man/man3/security_getenforce.3 b/libselinux/man/man3/security_getenforce.3 index 29cf3de7..f339b8b0 100644 --- a/libselinux/man/man3/security_getenforce.3 +++ b/libselinux/man/man3/security_getenforce.3 @@ -1,6 +1,7 @@ .TH "security_getenforce" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation" .SH "NAME" -security_getenforce, security_setenforce, security_deny_unknown, security_get_checkreqprot\- get or set the enforcing state of SELinux +security_getenforce, security_setenforce, security_deny_unknown, security_reject_unknown, +security_get_checkreqprot \- get or set the enforcing state of SELinux . .SH "SYNOPSIS" .B #include <selinux/selinux.h> @@ -11,6 +12,8 @@ security_getenforce, security_setenforce, security_deny_unknown, security_get_ch .sp .B int security_deny_unknown(void); .sp +.B int security_reject_unknown(void); +.sp .B int security_get_checkreqprot(void); . .SH "DESCRIPTION" @@ -27,6 +30,21 @@ returned. returns 0 if SELinux treats policy queries on undefined object classes or permissions as being allowed, 1 if such queries are denied, and \-1 on error. +.BR security_reject_unknown () +returns 1 if the current policy was built with handle-unknown=reject and SELinux +would reject loading it, if it did not define all kernel object classes and +permissions. In this state, when +.BR selinux_set_mapping() +and +.BR selinux_check_access() +are used with an undefined userspace class or permission, an error is returned +and errno is set to EINVAL. + +It returns 0 if the current policy was built with handle-unknown=allow or +handle-unknown=deny. In this state, policy queries are treated according to +.BR security_deny_unknown(). +\-1 is returned on error. + .BR security_get_checkreqprot () can be used to determine whether SELinux is configured to check the protection requested by the application or the actual protection that will diff --git a/libselinux/man/man3/security_reject_unknown.3 b/libselinux/man/man3/security_reject_unknown.3 new file mode 100644 index 00000000..d59e5c2c --- /dev/null +++ b/libselinux/man/man3/security_reject_unknown.3 @@ -0,0 +1 @@ +.so man3/security_getenforce.3
Commit c19395d72295 ("libselinux: selinux_set_mapping: fix handling of unknown classes/perms") added a new interface security_reject_unknown() which needs to be documented. Signed-off-by: Petr Lautrbach <plautrba@redhat.com> --- libselinux/man/man3/security_getenforce.3 | 20 ++++++++++++++++++- libselinux/man/man3/security_reject_unknown.3 | 1 + 2 files changed, 20 insertions(+), 1 deletion(-) create mode 100644 libselinux/man/man3/security_reject_unknown.3