selinux.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Stephen Smalley <sds@tycho.nsa.gov>
To: Petr Lautrbach <plautrba@redhat.com>, selinux@vger.kernel.org
Subject: Re: [PATCH v3] libselinux: Add security_reject_unknown(3) man page
Date: Wed, 6 Mar 2019 08:26:30 -0500	[thread overview]
Message-ID: <d303cc9d-e439-994f-1f98-48c98a6c8866@tycho.nsa.gov> (raw)
In-Reply-To: <20190306125814.22023-1-plautrba@redhat.com>

On 3/6/19 7:58 AM, Petr Lautrbach wrote:
> Commit c19395d72295 ("libselinux: selinux_set_mapping: fix handling of unknown
> classes/perms") added a new interface security_reject_unknown() which needs to
> be documented.
> 
> Signed-off-by: Petr Lautrbach <plautrba@redhat.com>

Acked-by: Stephen Smalley <sds@tycho.nsa.gov>

> ---
>   libselinux/man/man3/security_getenforce.3     | 20 ++++++++++++++++++-
>   libselinux/man/man3/security_reject_unknown.3 |  1 +
>   2 files changed, 20 insertions(+), 1 deletion(-)
>   create mode 100644 libselinux/man/man3/security_reject_unknown.3
> 
> diff --git a/libselinux/man/man3/security_getenforce.3 b/libselinux/man/man3/security_getenforce.3
> index 29cf3de7..f339b8b0 100644
> --- a/libselinux/man/man3/security_getenforce.3
> +++ b/libselinux/man/man3/security_getenforce.3
> @@ -1,6 +1,7 @@
>   .TH "security_getenforce" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation"
>   .SH "NAME"
> -security_getenforce, security_setenforce, security_deny_unknown, security_get_checkreqprot\- get or set the enforcing state of SELinux
> +security_getenforce, security_setenforce, security_deny_unknown, security_reject_unknown,
> +security_get_checkreqprot \- get or set the enforcing state of SELinux
>   .
>   .SH "SYNOPSIS"
>   .B #include <selinux/selinux.h>
> @@ -11,6 +12,8 @@ security_getenforce, security_setenforce, security_deny_unknown, security_get_ch
>   .sp
>   .B int security_deny_unknown(void);
>   .sp
> +.B int security_reject_unknown(void);
> +.sp
>   .B int security_get_checkreqprot(void);
>   .
>   .SH "DESCRIPTION"
> @@ -27,6 +30,21 @@ returned.
>   returns 0 if SELinux treats policy queries on undefined object classes or
>   permissions as being allowed, 1 if such queries are denied, and \-1 on error.
>   
> +.BR security_reject_unknown ()
> +returns 1 if the current policy was built with handle-unknown=reject and SELinux
> +would reject loading it, if it did not define all kernel object classes and
> +permissions. In this state, when
> +.BR selinux_set_mapping()
> +and
> +.BR selinux_check_access()
> +are used with an undefined userspace class or permission, an error is returned
> +and errno is set to EINVAL.
> +
> +It returns 0 if the current policy was built with handle-unknown=allow or
> +handle-unknown=deny. In this state, policy queries are treated according to
> +.BR security_deny_unknown().
> +\-1 is returned on error.
> +
>   .BR security_get_checkreqprot ()
>   can be used to determine whether SELinux is configured to check the
>   protection requested by the application or the actual protection that will
> diff --git a/libselinux/man/man3/security_reject_unknown.3 b/libselinux/man/man3/security_reject_unknown.3
> new file mode 100644
> index 00000000..d59e5c2c
> --- /dev/null
> +++ b/libselinux/man/man3/security_reject_unknown.3
> @@ -0,0 +1 @@
> +.so man3/security_getenforce.3
> 


  reply	other threads:[~2019-03-06 13:35 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-03-04 16:37 [PATCH] libselinux: Add security_reject_unknown(3) man page Petr Lautrbach
2019-03-04 18:23 ` Stephen Smalley
2019-03-05  9:12   ` Petr Lautrbach
2019-03-05  9:35     ` [PATCH v2] " Petr Lautrbach
2019-03-05 15:44       ` Stephen Smalley
2019-03-06 12:56         ` Petr Lautrbach
2019-03-06 12:58           ` [PATCH v3] " Petr Lautrbach
2019-03-06 13:26             ` Stephen Smalley [this message]
2019-03-11 15:48               ` Stephen Smalley

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=d303cc9d-e439-994f-1f98-48c98a6c8866@tycho.nsa.gov \
    --to=sds@tycho.nsa.gov \
    --cc=plautrba@redhat.com \
    --cc=selinux@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).