Module lsm

bootc_lib

Module lsm 

Source

Structs§

SetEnforceGuard πŸ”’
A type which will reset SELinux back to enforcing mode when dropped. This is a workaround for the deep difficulties in trying to reliably gain the mac_admin permission (install_t).

Enums§

SELinuxLabelState πŸ”’
The labeling state; β€œunsupported” is distinct as we need to handle cases like the ESP which don’t support labeling.

Constants§

SELF_CURRENT πŸ”’
SELINUXFS πŸ”’
The mount path for selinux
SELINUX_XATTR πŸ”’
The SELinux xattr

Functions§

atomic_replace_labeled πŸ”’
A wrapper for atomically writing a file, also optionally setting a SELinux label.
ensure_dir_labeled πŸ”’
A wrapper for creating a directory, also optionally setting a SELinux label.
ensure_dir_labeled_recurse πŸ”’
Recursively ensure all files under a directory have SELinux labels. Uses the walk API with noxdev and skip_mountpoints to avoid crossing mount point boundaries (e.g. into sysfs, procfs, etc.). The provided skip parameter is a device/inode pair that we will ignore (and not traverse into).
ensure_labeled πŸ”’
Given a policy, ensure the target file path has a security.selinux label. If the path already is labeled, this function is a no-op, even if the policy would default to a different label.
get_current_security_context πŸ”’
Get the current process SELinux security context
has_security_selinux πŸ”’
Query the SELinux labeling for a particular path
have_selinux_policy πŸ”’
Query whether SELinux is apparently enabled in the target root
new_sepolicy_at πŸ”’
A thin wrapper for loading a SELinux policy that maps β€œpolicy nonexistent” to None.
relabel πŸ”’
Given the policy, relabel the target file or directory. Optionally, an override for the path can be provided to set the label as if the target has that filename.
relabel_recurse πŸ”’
Recursively relabel the target directory.
relabel_recurse_inner πŸ”’
require_label πŸ”’
Look up the label for a path in a policy, and error if one is not found.
selinux_enabled πŸ”’
selinux_ensure_install πŸ”’
Ensure that the current process has the capability to write SELinux security contexts unknown to the current policy.
selinux_ensure_install_or_setenforce πŸ”’
Try to enter the install_t domain, but if we can’t do that, then just setenforce 0.
selinux_set_permissive πŸ”’
set_security_selinux πŸ”’
A thin wrapper for invoking fsetxattr(security.selinux)
set_security_selinux_path πŸ”’
Directly set the security.selinux extended attribute on the target path. Symbolic links are not followed for the target.
test_install_t πŸ”’
Check if the current process has the capability to write SELinux security contexts unknown to the current policy. In SELinux terms this capability is gated under mac_admin (admin control over SELinux state), and in the Fedora policy at least it’s part of install_t.
xattrs_have_selinux πŸ”’
Check if the ostree-formatted extended attributes include a security.selinux value.