26e05da0fc
As discussed in https://bugzilla.redhat.com/show_bug.cgi?id=1219718, there are several inconsistencies between the matchpathcon man page and the implementation. The same is true of the SELABEL_OPT_SUBSET option for the selabel_file backend. Fix the man pages for both. Also note in the man pages that the entire matchpathcon family of functions is deprecated and recommend use of the corresponding selabel interfaces for new code. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
127 lines
3.6 KiB
Groff
127 lines
3.6 KiB
Groff
.TH "matchpathcon" "3" "21 November 2009" "sds@tycho.nsa.gov" "SELinux API documentation"
|
|
.SH "NAME"
|
|
matchpathcon, matchpathcon_index \- get the default SELinux security context for the specified path from the file contexts configuration
|
|
.
|
|
.SH "SYNOPSIS"
|
|
.B #include <selinux/selinux.h>
|
|
.sp
|
|
.BI "int matchpathcon_init(const char *" path ");"
|
|
.sp
|
|
.BI "int matchpathcon_init_prefix(const char *" path ", const char *" prefix ");"
|
|
.sp
|
|
.BI "int matchpathcon_fini(void);"
|
|
.sp
|
|
.BI "int matchpathcon(const char *" path ", mode_t " mode ", char **" con ");
|
|
.sp
|
|
.BI "int matchpathcon_index(const char *" name ", mode_t " mode ", char **" con ");"
|
|
.
|
|
.SH "DESCRIPTION"
|
|
|
|
This family of functions is deprecated. For new code, please use
|
|
.BR selabel_open (3)
|
|
with the
|
|
.B SELABEL_CTX_FILE
|
|
backend in place of
|
|
.BR matchpathcon_init (),
|
|
use
|
|
.BR selabel_close (3)
|
|
in place of
|
|
.BR matchpathcon_fini (),
|
|
and use
|
|
.BR selabel_lookup (3)
|
|
in place of
|
|
.BR matchpathcon ().
|
|
|
|
The remaining description below is for the legacy interface.
|
|
|
|
.BR matchpathcon_init ()
|
|
loads the file contexts configuration specified by
|
|
.I path
|
|
into memory for use by subsequent
|
|
.BR matchpathcon ()
|
|
calls. If
|
|
.I path
|
|
is NULL, then the active file contexts configuration is loaded by default,
|
|
i.e. the path returned by
|
|
.BR selinux_file_context_path (3).
|
|
Unless the
|
|
.B MATCHPATHCON_BASEONLY
|
|
flag has been set via
|
|
.BR \%set_matchpathcon_flags (3),
|
|
files with the same path prefix but a
|
|
.B \%.homedirs
|
|
and
|
|
.B .local
|
|
suffix are also looked up and loaded if present. These files provide
|
|
dynamically generated entries for user home directories and for local
|
|
customizations.
|
|
|
|
.BR matchpathcon_init_prefix ()
|
|
is the same as
|
|
.BR matchpathcon_init ()
|
|
but only loads entries with regular expressions whose first pathname
|
|
component is a prefix of
|
|
.I \%prefix
|
|
, e.g. pass "/dev" if you only intend to call
|
|
.BR matchpathcon ()
|
|
with pathnames beginning with /dev.
|
|
However, this optimization is no longer necessary due to the use of
|
|
.I file_contexts.bin
|
|
files with precompiled regular expressions, so use of this interface
|
|
is deprecated.
|
|
|
|
.BR matchpathcon_fini ()
|
|
frees the memory allocated by a prior call to
|
|
.BR matchpathcon_init. ()
|
|
This function can be used to free and reset the internal state between multiple
|
|
.BR matchpathcon_init ()
|
|
calls, or to free memory when finished using
|
|
.BR matchpathcon ().
|
|
|
|
.BR matchpathcon ()
|
|
matches the specified
|
|
.I pathname,
|
|
after transformation via
|
|
.BR realpath (3)
|
|
excepting any final symbolic link component if S_IFLNK was
|
|
specified as the
|
|
.I mode,
|
|
and
|
|
.I mode
|
|
against the
|
|
.I file contexts
|
|
configuration and sets the security context
|
|
.I con
|
|
to refer to the
|
|
resulting context. The caller must free the returned security context
|
|
.I con
|
|
using
|
|
.BR freecon (3)
|
|
when finished using it.
|
|
.I mode
|
|
can be 0 to disable mode matching, but
|
|
should be provided whenever possible, as it may affect the matching.
|
|
Only the file format bits (i.e. the file type) of the
|
|
.I mode
|
|
are used.
|
|
If
|
|
.BR matchpathcon_init ()
|
|
has not already been called, then this function will call it upon
|
|
its first invocation with a NULL
|
|
.I path,
|
|
defaulting to the active file contexts configuration.
|
|
|
|
.BR matchpathcon_index ()
|
|
is the same as
|
|
.BR matchpathcon ()
|
|
but returns a specification index that can later be used in a
|
|
.BR matchpathcon_filespec_add (3)
|
|
call.
|
|
.
|
|
.SH "RETURN VALUE"
|
|
Returns zero on success or \-1 otherwise.
|
|
.
|
|
.SH "SEE ALSO"
|
|
.ad l
|
|
.nh
|
|
.BR selinux "(8), " set_matchpathcon_flags "(3), " set_matchpathcon_invalidcon "(3), " set_matchpathcon_printf "(3), " matchpathcon_filespec_add "(3), " matchpathcon_checkmatches "(3), " freecon "(3), " setfilecon "(3), " setfscreatecon "(3)"
|