matchpathcon(3) SELinux API documentation matchpathcon(3)NAMEmatchpathcon - get the default SELinux security context for the speci‐
fied path from the file contexts configuration.
SYNOPSIS
#include <selinux/selinux.h>
int matchpathcon_init(const char *path);
int matchpathcon_fini(void);
int matchpathcon(const char *path, mode_t mode, security_context_t
*con);
void set_matchpathcon_printf(void (*f)(const char *fmt, ...));
void set_matchpathcon_invalidcon(int (*f)(const char *path, unsigned
lineno, char * context));
void set_matchpathcon_flags(unsigned int flags);
DESCRIPTION
matchpathcon_init loads the file contexts configuration specified by
path into memory for use by subsequent matchpathcon calls. If path is
NULL, then the active file contexts configuration is loaded by default,
i.e. the path returned by selinux_file_context_path(3). Unless the
MATCHPATHCON_BASEONLY flag has been set via set_matchpathcon_flags,
files with the same path prefix but a .homedirs and .local suffix are
also looked up and loaded if present. These files provide dynamically
generated entries for user home directories and for local customiza‐
tions.
matchpathcon_fini frees the memory allocated by a prior call to match‐
pathcon_init. This function can be used to free and reset the internal
state between multiple matchpathcon_init calls, or to free memory when
finished using matchpathcon.
matchpathcon matches the specified pathname and mode against the file
contexts configuration and sets the security context con to refer to
the resulting context. The caller must free the returned security con‐
text con using freecon when finished using it. mode can be 0 to dis‐
able mode matching, but should be provided whenever possible, as it may
affect the matching. Only the file format bits (i.e. the file type) of
the mode are used. If matchpathcon_init has not already been called,
then this function will call it upon its first invocation with a NULL
path, defaulting to the active file contexts configuration.
set_matchpathcon_printf sets the function used by matchpathcon_init
when displaying errors about the file contexts configuration. If not
set, then this defaults to fprintf(stderr, fmt, ...). This can be set
to redirect error reporting to a different destination.
set_matchpathcon_invalidcon sets the function used by matchpathcon_init
when checking the validity of a context in the file contexts configura‐
tion. If not set, then this defaults to a test based on secu‐
rity_check_context(3), which checks validity against the active policy
on a SELinux system. This can be set to instead perform checking based
on a binary policy file, e.g. using sepol_check_context(3), as is done
by setfiles -c. The function is also responsible for reporting any
such error, and may include the path and lineno in such error messages.
set_matchpathcon_flags sets flags controlling the operation of match‐
pathcon_init or matchpathcon. If the MATCHPATHCON_BASEONLY flag is
set, then only the base file contexts configuration file will be pro‐
cessed, not any dynamically generated entries or local customizations.
RETURN VALUE
Returns 0 on success or -1 otherwise.
SEE ALSOselinux(8), freecon(3), setfilecon(3), setfscreatecon(3)sds@tycho.nsa.gov 16 March 2005 matchpathcon(3)
