|
NAME | SYNOPSIS | DESCRIPTION | OPTIONS | FILES | FILE FORMAT | NOTES | SEE ALSO | COLOPHON |
selabel_media(5) SELinux API documentation selabel_media(5)
selabel_media - userspace SELinux labeling interface and configura‐
tion file format for the media contexts backend
#include <selinux/label.h>
int selabel_lookup(struct selabel_handle *hnd,
char **context,
const char *device_name, int unused);
int selabel_lookup_raw(struct selabel_handle *hnd,
char **context,
const char *device_name, int unused);
The media contexts backend maps from media device names such as
"cdrom" or "floppy" into security contexts. It is used to find the
appropriate context for establishing context mounts on these devices.
The returned context must be freed using freecon(3).
selabel_lookup(3) describes the function with its return and error
codes.
The integer lookup argument is currently unused and should be set to
zero.
Any messages generated by selabel_lookup(3) are sent to stderr by
default, although this can be changed by selinux_set_callback(3).
selabel_lookup_raw(3) behaves identically to selabel_lookup(3) but
does not perform context translation.
The FILES section details the configuration files used to determine
the media context.
In addition to the global options described in selabel_open(3), this
backend recognizes the following options:
SELABEL_OPT_PATH
A non-null value for this option specifies a path to a file
that will be opened in lieu of the standard media contexts
file.
The media context file used to retrieve a default context depends on
the SELABEL_OPT_PATH parameter passed to selabel_open(3). If NULL,
then the SELABEL_OPT_PATH value will default to the active policy
media contexts location (as returned by
selinux_media_context_path(3)), otherwise the actual SELABEL_OPT_PATH
value specified is used.
The default media contexts file is:
/etc/selinux/{SELINUXTYPE}/contexts/files/media
Where {SELINUXTYPE} is the entry from the selinux configuration file
config (see selinux_config(5)).
Should there not be a valid entry in the media file, then the default
removable_context file will be read (see removable_context(5)).
Each line within the media file is as follows:
device_name context
Where:
device_name
The media identifier (e.g. cdrom, floppy, disk and
usb).
context
The context to be used for labeling the device.
Example:
# contexts/files/media
cdrom system_u:object_r:removable_device_t
floppy system_u:object_r:removable_device_t
disk system_u:object_r:fixed_disk_device_t
If contexts are to be validated, then the global option
SELABEL_OPT_VALIDATE must be set before calling selabel_open(3). If
this is not set, then it is possible for an invalid context to be
returned.
selinux(8), selabel_open(3), selabel_lookup(3), selabel_stats(3),
selabel_close(3), selinux_set_callback(3),
selinux_media_context_path(3), freecon(3), selinux_config(5),
removable_context(5)
This page is part of the selinux (Security-Enhanced Linux user-space
libraries and tools) project. Information about the project can be
found at ⟨https://github.com/SELinuxProject/selinux/wiki⟩. If you
have a bug report for this manual page, see
⟨https://github.com/SELinuxProject/selinux/wiki/Contributing⟩. This
page was obtained from the project's upstream Git repository
⟨https://github.com/SELinuxProject/selinux⟩ on 2017-07-05. If you
discover any rendering problems in this HTML version of the page, or
you believe there is a better or more up-to-date source for the page,
or you have corrections or improvements to the information in this
COLOPHON (which is not part of the original manual page), send a mail
to man-pages@man7.org
Security Enhanced Linux 29 Nov 2011 selabel_media(5)
Pages that refer to this page: selabel_open(3), removable_context(5)