On Mon, 2013-11-04 at 12:06 -0500, Stephen Smalley wrote:
> XSELinux correctly uses selinux_set_mapping() so that libselinux
> internally creates a mapping from arbitrary class/perm indices used by
> XSELinux and the policy values and handles all of the translation at
> runtime on avc_has_perm() calls.
Ok, I see how this works now. It was not obvious at all to me initially
that the order of the #defines in XSELinux had to correspond to the
security_class_mapping struct array.
But then I only discovered while writing a patch to document
selinux_set_mapping() that there are man pages now for the libselinux
API, and I guess the docs in the headers are not really used anymore?
Anyways I attached the patch...maybe it'll be useful.
>From e0727b96f8a22f652f881d2d00c88dab90b72285 Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@xxxxxxxxxx>
Date: Thu, 7 Nov 2013 14:56:46 -0500
Subject: [PATCH] selinux_set_mapping: Document it
This patch may not actually be useful since there's a man page.
---
libselinux/include/selinux/selinux.h | 19 +++++++++++++++++++
1 files changed, 19 insertions(+), 0 deletions(-)
diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index a4079aa..7cc623a 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -356,6 +356,25 @@ struct security_class_mapping {
const char *perms[sizeof(access_vector_t) * 8 + 1];
};
+/**
+ * selinux_set_mapping - Enable dynamic mapping between integer offsets and security class names
+ * @map: array of security_class_mapping structures
+ *
+ * The core avc_has_perm() API uses integers to represent security
+ * classes; previous to the introduction of this function, it was
+ * common for userspace object managers to be compiled using generated
+ * offsets for a particular policy. However, that strongly ties the build of the userspace components to a particular policy.
+ *
+ * By using this function to map between integer offsets and security
+ * class names, it's possible to replace a system policies that have
+ * at least the same set of security class names as used by the
+ * userspace object managers.
+ *
+ * To correctly use this function, you should override the generated
+ * security class defines from the system policy in a local header,
+ * starting at 1, and have one security_class_mapping structure entry
+ * per define.
+ */
extern int selinux_set_mapping(struct security_class_mapping *map);
/* Common helpers */
--
1.7.1
