Commit c19395d72295 ("libselinux: selinux_set_mapping: fix handling of unknown
classes/perms") added a new interface security_reject_unknown() which needs to
be documented.
Signed-off-by: Petr Lautrbach <plautrba@xxxxxxxxxx>
---
libselinux/man/man3/security_getenforce.3 | 20 ++++++++++++++++++-
libselinux/man/man3/security_reject_unknown.3 | 1 +
2 files changed, 20 insertions(+), 1 deletion(-)
create mode 100644 libselinux/man/man3/security_reject_unknown.3
diff --git a/libselinux/man/man3/security_getenforce.3 b/libselinux/man/man3/security_getenforce.3
index 29cf3de7..f339b8b0 100644
--- a/libselinux/man/man3/security_getenforce.3
+++ b/libselinux/man/man3/security_getenforce.3
@@ -1,6 +1,7 @@
.TH "security_getenforce" "3" "1 January 2004" "russell@xxxxxxxxxxxx" "SELinux API documentation"
.SH "NAME"
-security_getenforce, security_setenforce, security_deny_unknown, security_get_checkreqprot\- get or set the enforcing state of SELinux
+security_getenforce, security_setenforce, security_deny_unknown, security_reject_unknown,
+security_get_checkreqprot \- get or set the enforcing state of SELinux
.
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
@@ -11,6 +12,8 @@ security_getenforce, security_setenforce, security_deny_unknown, security_get_ch
.sp
.B int security_deny_unknown(void);
.sp
+.B int security_reject_unknown(void);
+.sp
.B int security_get_checkreqprot(void);
.
.SH "DESCRIPTION"
@@ -27,6 +30,21 @@ returned.
returns 0 if SELinux treats policy queries on undefined object classes or
permissions as being allowed, 1 if such queries are denied, and \-1 on error.
+.BR security_reject_unknown ()
+returns 1 if the current policy was built with handle-unknown=reject and SELinux
+would reject loading it, if it did not define all kernel object classes and
+permissions. In this state, when
+.BR selinux_set_mapping()
+and
+.BR selinux_check_access()
+are used with an undefined userspace class or permission, an error is returned
+and errno is set to EINVAL.
+
+It returns 0 if the current policy was built with handle-unknown=allow or
+handle-unknown=deny. In this state, policy queries are treated according to
+.BR security_deny_unknown().
+\-1 is returned on error.
+
.BR security_get_checkreqprot ()
can be used to determine whether SELinux is configured to check the
protection requested by the application or the actual protection that will
diff --git a/libselinux/man/man3/security_reject_unknown.3 b/libselinux/man/man3/security_reject_unknown.3
new file mode 100644
index 00000000..d59e5c2c
--- /dev/null
+++ b/libselinux/man/man3/security_reject_unknown.3
@@ -0,0 +1 @@
+.so man3/security_getenforce.3
--
2.20.1
