HTML rendering created 2025-09-06 byMichael Kerrisk, author ofThe Linux Programming Interface. For details of in-depthLinux/UNIX system programming training courses that I teach, lookhere. Hosting byjambit GmbH. |  |
NAME |SYNOPSIS |DESCRIPTION |OPTIONS |KERNEL STATUS PAGE |NETLINK NOTIFICATION |RETURN VALUE |AUTHOR |SEE ALSO |COLOPHON | |
avc_open(3) SELinux API documentationavc_open(3)avc_open, avc_destroy, avc_reset, avc_cleanup - userspace SELinux AVC setup and teardown
#include <selinux/selinux.h>#include <selinux/avc.h>int avc_open(const struct selinux_opt *options, unsignednopt);void avc_destroy(void);int avc_reset(void);void avc_cleanup(void);
avc_open() initializes the userspace AVC and must be called before any other AVC operation can be performed.avc_destroy() destroys the userspace AVC, freeing all internal memory structures. After this call has been made,avc_open() must be called again before any AVC operations can be performed.avc_destroy() also closes the SELinux status page, which might have been opened manually byselinux_status_open(3).avc_reset() flushes the userspace AVC, causing it to forget any cached access decisions. The userspace AVC normally calls this function automatically when needed, seeNETLINK NOTIFICATION below.avc_cleanup() attempts to free unused memory within the userspace AVC, but does not flush any cached access decisions. Under normal operation, calling this function should not be necessary.
The userspace AVC obeys callbacks set viaselinux_set_callback(3), in particular the logging and audit callbacks. The options which may be passed toavc_open() include the following:AVC_OPT_SETENFORCE This option forces the userspace AVC into enforcing mode if the option value is non-NULL; permissive mode otherwise. The system enforcing mode will be ignored.
Linux kernel version 2.6.37 supports the SELinux kernel status page, enabling userspace applications tommap(2) SELinux status state in read-only mode to avoid system calls during the cache hit code path.avc_open() callsselinux_status_open(3) to initialize the selinux status state.avc_has_perm(3) andselinux_check_access(3) both check for status updates through calls toselinux_status_updated(3) at the start of each permission query and take the appropriate action. Two status types are currently implemented.setenforceevents will change the effective enforcing state used within the AVC, andpolicyloadevents will result in a cache flush.
In the event that the kernel status page is not successfullymmap(2)'ed the AVC will default to the netlink fallback mechanism, which opens a netlink socket for receiving status updates.setenforceandpolicyloadevents will have the same results as for the status page implementation, but all status update checks will now require a system call.
Functions with a return value return zero on success. On error, -1 is returned anderrno is set appropriately.
Eamon Walsh <ewalsh@tycho.nsa.gov>
selinux(8),selinux_check_access(3),avc_has_perm(3),avc_context_to_sid(3),avc_cache_stats(3),avc_add_callback(3),selinux_status_open(3),selinux_status_updated(3),selinux_set_callback(3),security_compute_av(3)
This page is part of theselinux (Security-Enhanced Linux user- space libraries and tools) project. Information about the project can be found at ⟨https://github.com/SELinuxProject/selinux/wiki⟩. If you have a bug report for this manual page, see ⟨https://github.com/SELinuxProject/selinux/wiki/Contributing⟩. This page was obtained from the project's upstream Git repository ⟨https://github.com/SELinuxProject/selinux⟩ on 2025-08-11. (At that time, the date of the most recent commit that was found in the repository was 2025-08-04.) If you discover any rendering problems in this HTML version of the page, or you believe there is a better or more up-to-date source for the page, or you have corrections or improvements to the information in this COLOPHON (which isnot part of the original manual page), send a mail to man-pages@man7.org 12 Jun 2008avc_open(3)Pages that refer to this page:avc_add_callback(3), avc_context_to_sid(3), avc_init(3), avc_netlink_loop(3)
HTML rendering created 2025-09-06 byMichael Kerrisk, author ofThe Linux Programming Interface. For details of in-depthLinux/UNIX system programming training courses that I teach, lookhere. Hosting byjambit GmbH. | |