Some of these are discussed more extensively in other locations, and are
here to highlight their nature. These are various special interfaces into
the kernel and file system details.
Tip
The shared library libselinux provides an
abstraction layer for all of these interfaces. If you are writing an
application, use this library instead of trying to directly access these
interfaces. To see what is provided with
libselinux, run the command rpm -ql
libselinux. This will show all the utilities and associated
manual pages included in the library.
The special files at
/proc/<PID>/attr/
allow userspace access to context information about a process.
<PID> is the process ID for the
process you are examining. This access includes getting and setting
security attributes for the process. These pseudo files expose the
getting and setting:
current — current security context.
prev — the context prior to the
last exec, which means the context of the
process that called this process.
exec — the context to apply at the
next exec
fscreate — the context to apply to
any new files created by this process.
The pseudo file system selinuxfs is mounted at
/selinux/. It provides the SELinux policy API for
userspace. Some of what libselinux abstracts
from this pseudo file system is loading policy, enabling or disabling
SELinux, and making AVC checks.
Security file contexts are stored in the values in the
security.selinux parameter of the file's
extended attributes. This field is read when any subject makes a
request for the SELinux type of a file. Extended attribute support is
extremely limited for pseudo file systems at this time. Currently
only devpts has support for xattrs, but work is ongoing to add further
support for more pseudo file systems.
As with the other special interfaces, it is recommended to use
libselinux to interface with the functions.
