|
|
selabel_media(5) SELinux API documentation selabel_media(5)
NAME
selabel_media - userspace SELinux labeling interface and configuration
file format for the media contexts backend
SYNOPSIS
#include <selinux/label.h>
int selabel_lookup(struct selabel_handle *hnd,
security_context_t *context,
const char *device_name, int unused);
int selabel_lookup_raw(struct selabel_handle *hnd,
security_context_t *context,
const char *device_name, int unused);
DESCRIPTION
The media contexts backend maps from media device names such as "cdrom"
or "floppy" into security contexts. It is used to find the appropriate
context for establishing context mounts on these devices. The returned
context must be freed using freecon(3).
selabel_lookup(3) describes the function with its return and error
codes.
The integer lookup argument is currently unused and should be set to
zero.
Any messages generated by selabel_lookup(3) are sent to stderr by
default, although this can be changed by selinux_set_callback(3).
selabel_lookup_raw(3) behaves identically to selabel_lookup(3) but does
not perform context translation.
The FILES section details the configuration files used to determine the
media context.
OPTIONS
In addition to the global options described in selabel_open(3), this
backend recognizes the following options:
SELABEL_OPT_PATH
A non-null value for this option specifies a path to a file that
will be opened in lieu of the standard media contexts file.
FILES
The media context file used to retrieve a default context depends on
the SELABEL_OPT_PATH parameter passed to selabel_open(3). If NULL, then
the SELABEL_OPT_PATH value will default to the active policy media con‐
texts location (as returned by selinux_media_context_path(3)), other‐
wise the actual SELABEL_OPT_PATH value specified is used.
The default media contexts file is:
/etc/selinux/{SELINUXTYPE}/contexts/files/media
Where {SELINUXTYPE} is the entry from the selinux configuration file
config (see selinux_config(5)).
Should there not be a valid entry in the media file, then the default
removable_context file will be read (see removable_context(5)).
FILE FORMAT
Each line within the media file is as follows:
device_name context
Where:
device_name
The media identifier (e.g. cdrom, floppy, disk and usb).
context
The context to be used for labeling the device.
Example:
# contexts/files/media
cdrom system_u:object_r:removable_device_t
floppy system_u:object_r:removable_device_t
disk system_u:object_r:fixed_disk_device_t
NOTES
If contexts are to be validated, then the global option SELA‐
BEL_OPT_VALIDATE must be set before calling selabel_open(3). If this is
not set, then it is possible for an invalid context to be returned.
SEE ALSO
selinux(8), selabel_open(3), selabel_lookup(3), selabel_stats(3),
selabel_close(3), selinux_set_callback(3),
selinux_media_context_path(3), freecon(3), selinux_config(5),
removable_context(5)
Security Enhanced Linux 29 Nov 2011 selabel_media(5)
[top]
|
Vote for polarhome |
