Expand description

🛡️ Safe Rust bindings for libselinux

SELinux is a flexible Mandatory Access Control for Linux.

This crate supports libselinux from version 2.8 to 3.2. Later versions might still be compatible. This crate exposes neither deprecated nor undocumented SELinux API functions and types.

⚠️ This crate is Linux-specific. Building it for non-Linux platforms, or for the Linux kernel, results in an empty crate.

This documentation is too brief to cover SELinux. Please refer to the official SELinux documentation, the manual pages of the libselinux native library, and the selinux-sys crate for a more complete picture on how to use this crate.

If you cannot find a feature you are looking for by its name, but you know which libselinux APIs relate to it, then try searching the documentation by that API name.

⚓ Backward compatibility

This crate requires libselinux version 2.8, at least. However, this crate provides some functions that are based on libselinux functions implemented in later versions. When such newer functions are needed, this crate attempts to load them dynamically at runtime. If such functions are implemented by libselinux, then the called crate functions run as expected. If the needed functions are not implemented by libselinux, then an error is returned indicating that the called crate function is unsupported.


This project adheres to Semantic Versioning. The CHANGELOG.md file details notable changes over time.


Access Vector Cache.

SELinux call backs.

Restore file(s) default SELinux security contexts.


Labeling files.

SELinux paths.

SELinux policies.



File access mode.

Background and foreground colors.

Opaque security context.

Red, green and blue components of a color.

SELinux security class.

SELinux security context.

Colors of a security context.

List of security contexts.


Support of SELinux in the running kernel.

Protection checked by SELinux on mmap() and mprotect() calls.

SELinux enforcing mode.

SELinux handling of undefined object classes and permissions.


Determine how the system was set up to run SELinux.

Determine the current SELinux enforcing mode.

Get the default type (domain) for role, and set type to refer to it.

Flush the SELinux class cache, e.g., upon a policy reload.

Determine the support of SELinux in the running kernel.

Determine the protection currently checked by SELinux on mmap() and mprotect() calls.

Force a reset of the loaded configuration.

Get the SELinux user name and level for a given Linux user name.

Set the current SELinux enforcing mode.

Establishes a mapping from a user-provided ordering of object classes and permissions to the numbers actually used by the loaded system policy.

Return the current SELinux handling of undefined object classes and permissions.