In order to query the SELinux policy, we have seen the use of the sesearch
command and other SELinux utilities. Code-wise, SELinux policies can be queried using the security_compute_av_flags
method.
The curcon
and newcon
variables can be filled in through methods such as getcon()
(for the current context) or get_default_context()
as we have seen in the previous recipe.
As an example, we want to query the transition permission between two process domains. To accomplish this, the following method is used:
First of all, call the
security_compute_av_flags()
method:struct av_decision avd; rc = security_compute_av_flags(curcon, newcon, SECCLASS_PROCESS, PROCESS__TRANSITION, &avd); if (rc) { … // Method failed. freecon(curcon); freecon(newcon); };
Now read the response:
if (!(avd.allowed & PROCESS__TRANSITION)) { … // Transition is denied };
Check whether the current context is a permissive domain or not:
if (avd.flags...