selinux January 2010 archive
Main Archive Page > Month Archives  > selinux archives
selinux: Re: access decision API

Re: access decision API

From: Stephen Smalley <sds_at_nospam>
Date: Tue Jan 26 2010 - 21:34:01 GMT
To: michel m <michel.mcgregor@gmail.com>


On Wed, 2010-01-27 at 00:50 +0330, michel m wrote:
> Hi,
> I have some data in userspace that I am keeping its security
> context.but as I want to write this data on some file in OS, I need to
> consult with security server if such data is allowed to be written on
> the file.
> I would like to know if there is any API that let me do such a
> scenario, that is input source and destination security context (both
> of them security context,not a domain context) and returns access
> decision. I am familiar with avc_has_perm(3), but seems to be not
> correct solution because it gets domain context as the first argument.

avc_has_perm() can be used with any pair of security contexts. Typical usage is to pass the security context of a subject/process as the first argument, but not always (e.g. there are some permission checks that control inter-object relationships), and that is not a requirement. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.