Stephen Smalley <sds@xxxxxxxxxxxxx> writes:
On 3/4/19 11:37 AM, Petr Lautrbach wrote:
Commit c19395d7 added a new interface security_reject_unknown()
which needs to
be documented.
Signed-off-by: Petr Lautrbach <plautrba@xxxxxxxxxx>
---
libselinux/man/man3/security_getenforce.3 | 9 ++++++++-
libselinux/man/man3/security_reject_unknown.3 | 1 +
2 files changed, 9 insertions(+), 1 deletion(-)
create mode 100644
libselinux/man/man3/security_reject_unknown.3
diff --git a/libselinux/man/man3/security_getenforce.3
b/libselinux/man/man3/security_getenforce.3
index 29cf3de7..8d72afb6 100644
--- a/libselinux/man/man3/security_getenforce.3
+++ b/libselinux/man/man3/security_getenforce.3
@@ -1,6 +1,7 @@
.TH "security_getenforce" "3" "1 January 2004"
"russell@xxxxxxxxxxxx" "SELinux API documentation"
.SH "NAME"
-security_getenforce, security_setenforce,
security_deny_unknown, security_get_checkreqprot\- get or set
the enforcing state of SELinux
+security_getenforce, security_setenforce,
security_deny_unknown, security_reject_unknown,
+security_get_checkreqprot\- get or set the enforcing state of
SELinux
.
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
@@ -11,6 +12,8 @@ security_getenforce, security_setenforce,
security_deny_unknown, security_get_ch
.sp
.B int security_deny_unknown(void);
.sp
+.B int security_reject_unknown(void);
+.sp
.B int security_get_checkreqprot(void);
.
.SH "DESCRIPTION"
@@ -27,6 +30,10 @@ returned.
returns 0 if SELinux treats policy queries on undefined
object classes or
permissions as being allowed, 1 if such queries are denied,
and \-1 on error.
+.BR security_reject_unknown ()
+returns 0 if SELinux allows to load a policy which doesn't
define all object
+classes and permissions, 1 if loading such policy is rejected,
and \-1 on error.
s/all object classes and permissions/all kernel object classes
and permissions/
A policy can still be loaded if it is missing userspace object
classes and
permissions regardless of security_reject_unknown(), although
the object manager
may later encounter a failure upon selinux_set_mapping(), which
internally calls
security_reject_unknown() to decide how to proceed, or direct
attempts to lookup
the class or permission via string_to_security_class() or
string_to_av_perm().
I'll update the text.
I don't know of anyone building policies with handle_unknown ==
reject so it is
unlikely that anyone is testing this case. deny is the default.
allow is set
in Fedora/RHEL. Android uses deny.
We're considering to use handle_unknown = reject for nightly
builds
to detect whether there's a new kernel class or permission defined
in
kernel which is not covered by policy.
+
.BR security_get_checkreqprot ()
can be used to determine whether SELinux is configured to
check the
protection requested by the application or the actual
protection that will
diff --git a/libselinux/man/man3/security_reject_unknown.3
b/libselinux/man/man3/security_reject_unknown.3
new file mode 100644
index 00000000..d59e5c2c
--- /dev/null
+++ b/libselinux/man/man3/security_reject_unknown.3
@@ -0,0 +1 @@
+.so man3/security_getenforce.3
