selinux January 2010 archive
Main Archive Page > Month Archives  > selinux archives
selinux: Re: access decision API

Re: access decision API

From: michel m <michel.mcgregor_at_nospam>
Date: Sat Jan 30 2010 - 08:33:18 GMT
To: Stephen Smalley <>

as the last question,
what I need, is to ask the security server if a data residing in userspace owning a context, can be written to a file in OS. does it make sense if I do it in this way :

    avc_has_perm(data_sid ,file_sid, SECLASS_FILE , null, null)

I am confused, because I guessed using such a syntax means if a process is able to write to file, but here we are going to check if data can be *written *to file.

if everything ok, how the action is specified, that is write? Regards.

On Wed, Jan 27, 2010 at 10:03 PM, Stephen Smalley <> wrote:

> On Wed, 2010-01-27 at 18:10 +0330, michel m wrote:
> > thanks for guidance, but here I am with a question. what should be
> > used as object class in avc_has_perm(3) when using it for
> > inter-object. is there any sample for inter-object access decision?
> > can it be null?
> >
> > on the other hand, access decision taken by avc_has_perm(), does it
> > include MLS too?
> Yes, the avc_has_perm() or security_compute_av() decision takes into
> account all policy models implemented within the security server,
> including RBAC, TE, and MLS.
> --
> Stephen Smalley
> National Security Agency
-- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to with the words "unsubscribe selinux" without quotes as the message.