Some of these are discussed more extensively in other locations, and are here to highlight their nature. These are various special interfaces into the kernel and file system details.
Tip | |
---|---|
The shared library libselinux provides an abstraction layer for all of these interfaces. If you are writing an application, use this library instead of trying to directly access these interfaces. To see what is provided with libselinux, run the command rpm -ql libselinux. This will show all the utilities and associated manual pages included in the library. |
The special files at /proc/<PID>/attr/ allow userspace access to context information about a process. <PID> is the process ID for the process you are examining. This access includes getting and setting security attributes for the process. These pseudo files expose the getting and setting:
current — current security context.
prev — the context prior to the last exec, which means the context of the process that called this process.
exec — the context to apply at the next exec
fscreate — the context to apply to any new files created by this process.
The pseudo file system selinuxfs is mounted at /selinux/. It provides the SELinux policy API for userspace. Some of what libselinux abstracts from this pseudo file system is loading policy, enabling or disabling SELinux, and making AVC checks.
Security file contexts are stored in the values in the security.selinux parameter of the file's extended attributes. This field is read when any subject makes a request for the SELinux type of a file. Extended attribute support is extremely limited for pseudo file systems at this time. Currently only devpts has support for xattrs, but work is ongoing to add further support for more pseudo file systems.
As with the other special interfaces, it is recommended to use libselinux to interface with the functions.