Interrogating the SELinux subsystem code-wise
In order to query the SELinux policy, we have seen the use of the sesearch
command and other SELinux utilities. Code-wise, SELinux policies can be queried using the security_compute_av_flags
method.
Getting ready
The curcon
and newcon
variables can be filled in through methods such as getcon()
(for the current context) or get_default_context()
as we have seen in the previous recipe.
How to do it…
As an example, we want to query the transition permission between two process domains. To accomplish this, the following method is used:
- First of all, call the
security_compute_av_flags()
method:struct av_decision avd; rc = security_compute_av_flags(curcon, newcon, SECCLASS_PROCESS, PROCESS__TRANSITION, &avd); if (rc) { … // Method failed. freecon(curcon); freecon(newcon); };
- Now read the response:
if (!(avd.allowed & PROCESS__TRANSITION)) { … // Transition is denied };
- Check whether the current context is a permissive domain...