Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com
Answertopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

NOTE: CentOS Enterprise Linux is built from the Red Hat Enterprise Linux source code. Other than logo and name changes CentOS Enterprise Linux is compatible with the equivalent Red Hat version. This document applies equally to both Red Hat and CentOS Enterprise Linux.
Red Hat Enterprise Linux 4: Red Hat SELinux Guide
Prev Chapter 2. SELinux Policy Overview Next

2.12. Special Interfaces and File Systems

Some of these are discussed more extensively in other locations, and are here to highlight their nature. These are various special interfaces into the kernel and file system details.

Tip Tip
 

The shared library libselinux provides an abstraction layer for all of these interfaces. If you are writing an application, use this library instead of trying to directly access these interfaces. To see what is provided with libselinux, run the command rpm -ql libselinux. This will show all the utilities and associated manual pages included in the library.

  • The special files at /proc/<PID>/attr/ allow userspace access to context information about a process. <PID> is the process ID for the process you are examining. This access includes getting and setting security attributes for the process. These pseudo files expose the getting and setting:

    • current — current security context.

    • prev — the context prior to the last exec, which means the context of the process that called this process.

    • exec — the context to apply at the next exec

    • fscreate — the context to apply to any new files created by this process.

  • The pseudo file system selinuxfs is mounted at /selinux/. It provides the SELinux policy API for userspace. Some of what libselinux abstracts from this pseudo file system is loading policy, enabling or disabling SELinux, and making AVC checks.

  • Security file contexts are stored in the values in the security.selinux parameter of the file's extended attributes. This field is read when any subject makes a request for the SELinux type of a file. Extended attribute support is extremely limited for pseudo file systems at this time. Currently only devpts has support for xattrs, but work is ongoing to add further support for more pseudo file systems.

    As with the other special interfaces, it is recommended to use libselinux to interface with the functions.

Prev Home Next
TE Rules - Constraints Up Targeted Policy Overview

 
 
  Published under the terms of the GNU General Public License Design by Interspire