Struct SecurityContext

pub struct SecurityContext<'context> { /* private fields */ }

SELinux security context.

Implementations

impl<'context> SecurityContext<'context>

pub fn is_raw_format(&self) -> bool

Return false if security context translation must be performed.

pub fn as_ptr(&self) -> *const c_char

Return the managed raw pointer to c_char.

pub fn as_mut_ptr(&mut self) -> *mut c_char

Return the managed raw pointer to c_char.

pub fn as_bytes(&self) -> &[u8]

Return the security context’s byte slice.

pub fn to_c_string(&self) -> Result<Option<Cow<'_, CStr>>>

Return the string value of this security context.

If the context is empty, then this returns Ok(None).

pub fn from_c_str( c_context: &'context CStr, raw_format: bool, ) -> SecurityContext<'context>

Return the security context identified by context.

⚠️ The returned instance does NOT own the provided context. When the returned instance get dropped, it will NOT deallocate the provided context.

pub fn current(raw_format: bool) -> Result<Self>

Return the security context of the current process.

See: getcon().

pub fn previous(raw_format: bool) -> Result<Self>

Return the security context of the current process before the last exec.

See: getprevcon().

pub fn previous_of_process( process_id: Option<pid_t>, raw_format: bool, ) -> Result<Self>

Return the security context, of the current or specified process, before the last exec.

If process_id is None, then the current process is queried.

Specifying a particular process id (process_id.is_some()) requires libselinux version 3.5 or later.

See: getprevcon(), getpidprevcon().

pub fn set_as_current(&self) -> Result<()>

Set the current security context of the process to this context.

See: setcon().

pub fn of_initial_kernel_context(name: &str, raw_format: bool) -> Result<Self>

Get the context of a kernel initial security identifier specified by name.

See: security_get_initial_context().

pub fn of_media_type(name: &str) -> Result<Self>

Get the default SELinux security context for the specified media type from the policy.

See: matchmediacon().

pub fn of_process(process_id: pid_t, raw_format: bool) -> Result<Self>

Return the process context for the specified process identifier.

See: getpidcon().

pub fn to_raw_format(&self) -> Result<Self>

Perform context translation from the human-readable format (translated) to the internal system format (raw).

See: selinux_trans_to_raw_context().

pub fn to_translated_format(&self) -> Result<Self>

Perform context translation from the internal system format (raw) to the human-readable format (translated).

See: selinux_raw_to_trans_context().

pub fn of_se_user_with_selected_context( se_user: &str, raw_format: bool, ) -> Result<Self>

Ask the user to manually enter a context as a fallback if a list of authorized contexts could not be obtained.

See: manual_user_enter_context().

pub fn default_for_se_user( se_user: &str, role: Option<&str>, level: Option<&str>, reachable_from_context: Option<&Self>, raw_format: bool, ) -> Result<Self>

Obtain a context, for the specified SELinux user identity, that is reachable from the specified reachable_from_context.

See: get_default_context(), get_default_context_with_level(), get_default_context_with_role(), get_default_context_with_rolelevel().

pub fn of_next_exec(raw_format: bool) -> Result<Option<Self>>

Get the context used for executing a new process.

See: getexeccon().

pub fn set_default_context_for_next_exec() -> Result<()>

Reset the context, used for the next execve() call, to the default policy behavior.

See: setexeccon().

pub fn set_for_next_exec(&self) -> Result<()>

Set the context used for the next execve() call.

See: setexeccon().

pub fn of_new_file_system_objects(raw_format: bool) -> Result<Option<Self>>

Get the context used for creating a new file system object.

See: getfscreatecon().

pub fn set_default_context_for_new_file_system_objects() -> Result<()>

Reset the context, used for creating a new file system object, to the default policy behavior.

See: setfscreatecon().

pub fn set_for_new_file_system_objects(&self, raw_format: bool) -> Result<()>

Set the context used for creating a new file system object.

See: setfscreatecon().

pub fn of_new_kernel_key_rings(raw_format: bool) -> Result<Option<Self>>

Get the context used for creating a new kernel key ring.

See: getkeycreatecon().

pub fn set_default_context_for_new_kernel_key_rings() -> Result<()>

Set the context, used for creating a new kernel key ring, to the default policy behavior.

See: setkeycreatecon().

pub fn set_for_new_kernel_key_rings(&self, raw_format: bool) -> Result<()>

Set the context used for creating a new kernel key ring.

See: setkeycreatecon().

pub fn of_new_labeled_sockets(raw_format: bool) -> Result<Option<Self>>

Get the context used for creating a new labeled network socket.

See: getsockcreatecon().

pub fn set_default_context_for_new_labeled_sockets() -> Result<()>

Set the context, used for creating a new labeled network sockets, to the default policy behavior.

See: setsockcreatecon().

pub fn set_for_new_labeled_sockets(&self, raw_format: bool) -> Result<()>

Set the context used for creating a new labeled network sockets.

See: setsockcreatecon().

pub fn of_path( path: impl AsRef<Path>, follow_symbolic_links: bool, raw_format: bool, ) -> Result<Option<Self>>

Get the context associated with the given path in the file system.

See: lgetfilecon(), getfilecon().

pub fn set_default_for_path(path: impl AsRef<Path>) -> Result<()>

Set the file context to the system defaults.

See: selinux_lsetfilecon_default().

pub fn set_for_path( &self, path: impl AsRef<Path>, follow_symbolic_links: bool, raw_format: bool, ) -> Result<()>

Set the SELinux security context of a file system object.

See: lsetfilecon(), setfilecon().

pub fn of_file<T>(fd: &T, raw_format: bool) -> Result<Option<Self>>

where T: AsRawFd,

Get the SELinux security context of a file system object.

See: fgetfilecon().

pub fn set_for_file<T>(&self, fd: &T) -> Result<()>

where T: AsRawFd,

Set the SELinux security context of the file system object identified by an open file descriptor.

See: fsetfilecon().

pub fn of_peer_socket<T>(socket: &T, raw_format: bool) -> Result<Self>

where T: AsRawFd,

Set the SELinux security context of the peer socket identified by an open file descriptor.

See: getpeercon().

pub fn query_access_decision( &self, target_context: &Self, target_class: SecurityClass, requested_access: access_vector_t, ) -> Result<av_decision>

Return whether the policy permits this source context to access target_context via target_class with the requested access vector.

See: security_compute_av_flags().

pub fn of_labeling_decision( &self, target_context: &Self, target_class: SecurityClass, object_name: &str, ) -> Result<Self>

Compute a context to use for labeling a new named object in a particular class based on a SID pair.

See: security_compute_create_name().

pub fn of_relabeling_decision( &self, target_context: &Self, target_class: SecurityClass, ) -> Result<Self>

Compute the new context to use when relabeling an object.

See: security_compute_relabel().

pub fn of_polyinstantiation_member_decision( &self, target_context: &Self, target_class: SecurityClass, ) -> Result<Self>

Compute the context to use when labeling a polyinstantiated object instance.

See: security_compute_member().

pub fn validate_transition( &self, target_context: &Self, target_class: SecurityClass, new_context: &Self, ) -> Result<()>

Determine if a transition from this context to new_context using target_context as the object is valid for object class target_class.

This checks against the mlsvalidatetrans and validatetrans constraints in the loaded policy.

This function requires libselinux version 3.0 or later.

See: security_validatetrans().

pub fn check(&self) -> Option<bool>

Check the validity of an SELinux context.

See: security_check_context(), is_selinux_enabled().

pub fn canonicalize(&self) -> Result<Self>

Canonicalize this security context.

See: security_canonicalize_context().

pub fn check_access( &self, target_context: &Self, target_class: &str, requested_permission: &str, audit_data: *mut c_void, ) -> Result<bool>

Check if this context has the access permission for the specified class on the target context.

See: selinux_check_access().

pub fn check_securetty_context(&self) -> bool

Check whether a SELinux tty security context is defined as a securetty context.

See: selinux_check_securetty_context().

pub fn is_customizable(&self) -> Result<bool>

Check whether SELinux context type is customizable by the administrator.

See: is_context_customizable().

pub fn to_color(&self) -> Result<SecurityContextColors>

Return the color string for this SELinux security context.

See: selinux_raw_context_to_color().

pub fn compare_user_insensitive(&self, other: &Self) -> Ordering

Compare this SELinux security context with another one, excluding the user component.

See: selinux_file_context_cmp().

pub fn verify_file_context( path: impl AsRef<Path>, mode: Option<FileAccessMode>, ) -> Result<bool>

Compare the SELinux security context on disk to the default security context required by the policy file contexts file.

See: selinux_file_context_verify().

Trait Implementations

impl<'context> Debug for SecurityContext<'context>

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Drop for SecurityContext<'_>

fn drop(&mut self)

See: freecon().

impl<'context> PartialEq for SecurityContext<'context>

fn eq(&self, that: &Self) -> bool

Test whether this security context is equal to another security context, potentially after canonicalizing both of them.

If a security context fails canonicalization, then it is used as is for the purpose of this equality test.

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.

impl<'context> Eq for SecurityContext<'context>