HTML rendering created 2025-09-06 byMichael Kerrisk, author ofThe Linux Programming Interface. For details of in-depthLinux/UNIX system programming training courses that I teach, lookhere. Hosting byjambit GmbH. |  |
NAME |SYNOPSIS |DESCRIPTION |RETURN VALUE |ERRORS |NOTES |SEE ALSO |COLOPHON | |
selabel_...est_match(3) SELinux API documentationselabel_...est_match(3)selabel_lookup_best_match - obtain a best match SELinux security context - Only supported on file backend.
#include <selinux/selinux.h>#include <selinux/label.h>int selabel_lookup_best_match(struct selabel_handle *hnd,char **context,const char *key,const char **links,inttype);int selabel_lookup_best_match_raw(struct selabel_handle *hnd,char **context,const char *key,const char **links,inttype);
selabel_lookup_best_match() performs a best match lookup operation on the handlehnd, returning the result in the memory pointed to bycontext, which must be freed by the caller usingfreecon(3). Thekey parameter is a file path to check for best match using zero or morelink (aliases) parameters. The order of precedence for best match is: 1. An exact match for the real path (key) or 2. An exact match for any of thelinks (aliases), or 3. The longest fixed prefix match. Thetype parameter is an optional filemode argument that should be set to the mode bits of the file, as determined bylstat(2).mode may be zero, however full matching may not occur.selabel_lookup_best_match_raw() behaves identically toselabel_lookup_best_match() but does not perform context translation.
On success, zero is returned. On error, -1 is returned anderrno is set appropriately.
ENOENTNo context corresponding to the inputkey andtype was found.EINVALThekey and/ortype inputs are invalid, or the context being returned failed validation, or a regular expression in the database failed to compile.ENOMEMAn attempt to allocate memory failed.
Example usage - When a service creates a device node, it may also create one or more symlinks to the device node. These symlinks may be the only stable name for the device, e.g. if the partition is dynamically assigned. The file label backend supports this by looking up the "best match" for a device node based on its real path (key) and anylinks to it (aliases). The order of precedence for best match is described above.
selabel_open(3),selabel_stats(3),selinux_set_callback(3),selinux(8),lstat(2),selabel_file(5)
This page is part of theselinux (Security-Enhanced Linux user- space libraries and tools) project. Information about the project can be found at ⟨https://github.com/SELinuxProject/selinux/wiki⟩. If you have a bug report for this manual page, see ⟨https://github.com/SELinuxProject/selinux/wiki/Contributing⟩. This page was obtained from the project's upstream Git repository ⟨https://github.com/SELinuxProject/selinux⟩ on 2025-08-11. (At that time, the date of the most recent commit that was found in the repository was 2025-08-04.) If you discover any rendering problems in this HTML version of the page, or you believe there is a better or more up-to-date source for the page, or you have corrections or improvements to the information in this COLOPHON (which isnot part of the original manual page), send a mail to man-pages@man7.orgSecurity Enhanced Linux 05 May 2015selabel_...est_match(3)HTML rendering created 2025-09-06 byMichael Kerrisk, author ofThe Linux Programming Interface. For details of in-depthLinux/UNIX system programming training courses that I teach, lookhere. Hosting byjambit GmbH. | |