selinux.h revision 13b599d7b80c1464683f66a1e93e02b984d94c1d 
1#ifndef _SELINUX_H_
2#define _SELINUX_H_
3
4#include <sys/types.h>
5#include <stdarg.h>
6
7#ifdef __cplusplus
8extern "C" {
9#endif
10
11/* Return 1 if we are running on a SELinux kernel, or 0 if not or -1 if we get an error. */
12extern int is_selinux_enabled(void);
13/* Return 1 if we are running on a SELinux MLS kernel, or 0 otherwise. */
14extern int is_selinux_mls_enabled(void);
15
16typedef char *security_context_t;
17
18/* Free the memory allocated for a context by any of the below get* calls. */
19extern void freecon(security_context_t con);
20
21/* Free the memory allocated for a context array by security_compute_user. */
22extern void freeconary(security_context_t * con);
23
24/* Wrappers for the /proc/pid/attr API. */
25
26/* Get current context, and set *con to refer to it.
27   Caller must free via freecon. */
28extern int getcon(security_context_t * con);
29extern int getcon_raw(security_context_t * con);
30
31/* Set the current security context to con.
32   Note that use of this function requires that the entire application
33   be trusted to maintain any desired separation between the old and new
34   security contexts, unlike exec-based transitions performed via setexeccon.
35   When possible, decompose your application and use setexeccon()+execve()
36   instead. Note that the application may lose access to its open descriptors
37   as a result of a setcon() unless policy allows it to use descriptors opened
38   by the old context. */
39extern int setcon(const security_context_t con);
40extern int setcon_raw(const security_context_t con);
41
42/* Get context of process identified by pid, and
43   set *con to refer to it.  Caller must free via freecon. */
44extern int getpidcon(pid_t pid, security_context_t * con);
45extern int getpidcon_raw(pid_t pid, security_context_t * con);
46
47/* Get previous context (prior to last exec), and set *con to refer to it.
48   Caller must free via freecon. */
49extern int getprevcon(security_context_t * con);
50extern int getprevcon_raw(security_context_t * con);
51
52/* Get exec context, and set *con to refer to it.
53   Sets *con to NULL if no exec context has been set, i.e. using default.
54   If non-NULL, caller must free via freecon. */
55extern int getexeccon(security_context_t * con);
56extern int getexeccon_raw(security_context_t * con);
57
58/* Set exec security context for the next execve.
59   Call with NULL if you want to reset to the default. */
60extern int setexeccon(const security_context_t con);
61extern int setexeccon_raw(const security_context_t con);
62
63/* Get fscreate context, and set *con to refer to it.
64   Sets *con to NULL if no fs create context has been set, i.e. using default.
65   If non-NULL, caller must free via freecon. */
66extern int getfscreatecon(security_context_t * con);
67extern int getfscreatecon_raw(security_context_t * con);
68
69/* Set the fscreate security context for subsequent file creations.
70   Call with NULL if you want to reset to the default. */
71extern int setfscreatecon(const security_context_t context);
72extern int setfscreatecon_raw(const security_context_t context);
73
74/* Get keycreate context, and set *con to refer to it.
75   Sets *con to NULL if no key create context has been set, i.e. using default.
76   If non-NULL, caller must free via freecon. */
77extern int getkeycreatecon(security_context_t * con);
78extern int getkeycreatecon_raw(security_context_t * con);
79
80/* Set the keycreate security context for subsequent key creations.
81   Call with NULL if you want to reset to the default. */
82extern int setkeycreatecon(const security_context_t context);
83extern int setkeycreatecon_raw(const security_context_t context);
84
85/* Get sockcreate context, and set *con to refer to it.
86   Sets *con to NULL if no socket create context has been set, i.e. using default.
87   If non-NULL, caller must free via freecon. */
88extern int getsockcreatecon(security_context_t * con);
89extern int getsockcreatecon_raw(security_context_t * con);
90
91/* Set the sockcreate security context for subsequent socket creations.
92   Call with NULL if you want to reset to the default. */
93extern int setsockcreatecon(const security_context_t context);
94extern int setsockcreatecon_raw(const security_context_t context);
95
96/* Wrappers for the xattr API. */
97
98/* Get file context, and set *con to refer to it.
99   Caller must free via freecon. */
100extern int getfilecon(const char *path, security_context_t * con);
101extern int getfilecon_raw(const char *path, security_context_t * con);
102extern int lgetfilecon(const char *path, security_context_t * con);
103extern int lgetfilecon_raw(const char *path, security_context_t * con);
104extern int fgetfilecon(int fd, security_context_t * con);
105extern int fgetfilecon_raw(int fd, security_context_t * con);
106
107/* Set file context */
108extern int setfilecon(const char *path, security_context_t con);
109extern int setfilecon_raw(const char *path, security_context_t con);
110extern int lsetfilecon(const char *path, security_context_t con);
111extern int lsetfilecon_raw(const char *path, security_context_t con);
112extern int fsetfilecon(int fd, security_context_t con);
113extern int fsetfilecon_raw(int fd, security_context_t con);
114
115/* Wrappers for the socket API */
116
117/* Get context of peer socket, and set *con to refer to it.
118   Caller must free via freecon. */
119extern int getpeercon(int fd, security_context_t * con);
120extern int getpeercon_raw(int fd, security_context_t * con);
121
122/* Wrappers for the selinuxfs (policy) API. */
123
124typedef unsigned int access_vector_t;
125typedef unsigned short security_class_t;
126
127struct av_decision {
128	access_vector_t allowed;
129	access_vector_t decided;
130	access_vector_t auditallow;
131	access_vector_t auditdeny;
132	unsigned int seqno;
133	unsigned int flags;
134};
135
136/* Definitions of av_decision.flags */
137#define SELINUX_AVD_FLAGS_PERMISSIVE	0x0001
138
139/* Structure for passing options, used by AVC and label subsystems */
140struct selinux_opt {
141	int type;
142	const char *value;
143};
144
145/* Callback facilities */
146union selinux_callback {
147	/* log the printf-style format and arguments,
148	   with the type code indicating the type of message */
149	int
150#ifdef __GNUC__
151__attribute__ ((format(printf, 2, 3)))
152#endif
153	(*func_log) (int type, const char *fmt, ...);
154	/* store a string representation of auditdata (corresponding
155	   to the given security class) into msgbuf. */
156	int (*func_audit) (void *auditdata, security_class_t cls,
157			   char *msgbuf, size_t msgbufsize);
158	/* validate the supplied context, modifying if necessary */
159	int (*func_validate) (security_context_t *ctx);
160	/* netlink callback for setenforce message */
161	int (*func_setenforce) (int enforcing);
162	/* netlink callback for policyload message */
163	int (*func_policyload) (int seqno);
164};
165
166#define SELINUX_CB_LOG		0
167#define SELINUX_CB_AUDIT	1
168#define SELINUX_CB_VALIDATE	2
169#define SELINUX_CB_SETENFORCE	3
170#define SELINUX_CB_POLICYLOAD	4
171
172extern union selinux_callback selinux_get_callback(int type);
173extern void selinux_set_callback(int type, union selinux_callback cb);
174
175	/* Logging type codes, passed to the logging callback */
176#define SELINUX_ERROR	        0
177#define SELINUX_WARNING		1
178#define SELINUX_INFO		2
179#define SELINUX_AVC		3
180
181/* Compute an access decision. */
182extern int security_compute_av(const security_context_t scon,
183			       const security_context_t tcon,
184			       security_class_t tclass,
185			       access_vector_t requested,
186			       struct av_decision *avd);
187extern int security_compute_av_raw(const security_context_t scon,
188				   const security_context_t tcon,
189				   security_class_t tclass,
190				   access_vector_t requested,
191				   struct av_decision *avd);
192
193extern int security_compute_av_flags(const security_context_t scon,
194				     const security_context_t tcon,
195				     security_class_t tclass,
196				     access_vector_t requested,
197				     struct av_decision *avd);
198extern int security_compute_av_flags_raw(const security_context_t scon,
199					 const security_context_t tcon,
200					 security_class_t tclass,
201					 access_vector_t requested,
202					 struct av_decision *avd);
203
204/* Compute a labeling decision and set *newcon to refer to it.
205   Caller must free via freecon. */
206extern int security_compute_create(const security_context_t scon,
207				   const security_context_t tcon,
208				   security_class_t tclass,
209				   security_context_t * newcon);
210extern int security_compute_create_raw(const security_context_t scon,
211				       const security_context_t tcon,
212				       security_class_t tclass,
213				       security_context_t * newcon);
214extern int security_compute_create_name(const security_context_t scon,
215					const security_context_t tcon,
216					security_class_t tclass,
217					const char *objname,
218					security_context_t * newcon);
219extern int security_compute_create_name_raw(const security_context_t scon,
220					    const security_context_t tcon,
221					    security_class_t tclass,
222					    const char *objname,
223					    security_context_t * newcon);
224
225/* Compute a relabeling decision and set *newcon to refer to it.
226   Caller must free via freecon. */
227extern int security_compute_relabel(const security_context_t scon,
228				    const security_context_t tcon,
229				    security_class_t tclass,
230				    security_context_t * newcon);
231extern int security_compute_relabel_raw(const security_context_t scon,
232					const security_context_t tcon,
233					security_class_t tclass,
234					security_context_t * newcon);
235
236/* Compute a polyinstantiation member decision and set *newcon to refer to it.
237   Caller must free via freecon. */
238extern int security_compute_member(const security_context_t scon,
239				   const security_context_t tcon,
240				   security_class_t tclass,
241				   security_context_t * newcon);
242extern int security_compute_member_raw(const security_context_t scon,
243				       const security_context_t tcon,
244				       security_class_t tclass,
245				       security_context_t * newcon);
246
247/* Compute the set of reachable user contexts and set *con to refer to
248   the NULL-terminated array of contexts.  Caller must free via freeconary. */
249extern int security_compute_user(const security_context_t scon,
250				 const char *username,
251				 security_context_t ** con);
252extern int security_compute_user_raw(const security_context_t scon,
253				     const char *username,
254				     security_context_t ** con);
255
256/* Load a policy configuration. */
257extern int security_load_policy(void *data, size_t len);
258
259/* Get the context of an initial kernel security identifier by name.
260   Caller must free via freecon */
261extern int security_get_initial_context(const char *name,
262					security_context_t * con);
263extern int security_get_initial_context_raw(const char *name,
264					    security_context_t * con);
265
266/*
267 * Make a policy image and load it.
268 * This function provides a higher level interface for loading policy
269 * than security_load_policy, internally determining the right policy
270 * version, locating and opening the policy file, mapping it into memory,
271 * manipulating it as needed for current boolean settings and/or local
272 * definitions, and then calling security_load_policy to load it.
273 *
274 * 'preservebools' is a boolean flag indicating whether current
275 * policy boolean values should be preserved into the new policy (if 1)
276 * or reset to the saved policy settings (if 0).  The former case is the
277 * default for policy reloads, while the latter case is an option for policy
278 * reloads but is primarily for the initial policy load.
279 */
280extern int selinux_mkload_policy(int preservebools);
281
282/*
283 * Perform the initial policy load.
284 * This function determines the desired enforcing mode, sets the
285 * the *enforce argument accordingly for the caller to use, sets the
286 * SELinux kernel enforcing status to match it, and loads the policy.
287 * It also internally handles the initial selinuxfs mount required to
288 * perform these actions.
289 *
290 * The function returns 0 if everything including the policy load succeeds.
291 * In this case, init is expected to re-exec itself in order to transition
292 * to the proper security context.
293 * Otherwise, the function returns -1, and init must check *enforce to
294 * determine how to proceed.  If enforcing (*enforce > 0), then init should
295 * halt the system.  Otherwise, init may proceed normally without a re-exec.
296 */
297extern int selinux_init_load_policy(int *enforce);
298
299/* Translate boolean strict to name value pair. */
300typedef struct {
301	char *name;
302	int value;
303} SELboolean;
304/* save a list of booleans in a single transaction.  */
305extern int security_set_boolean_list(size_t boolcnt,
306				     SELboolean * boollist, int permanent);
307
308/* Load policy boolean settings.
309   Path may be NULL, in which case the booleans are loaded from
310   the active policy boolean configuration file. */
311extern int security_load_booleans(char *path);
312
313/* Check the validity of a security context. */
314extern int security_check_context(const security_context_t con);
315extern int security_check_context_raw(const security_context_t con);
316
317/* Canonicalize a security context. */
318extern int security_canonicalize_context(const security_context_t con,
319					 security_context_t * canoncon);
320extern int security_canonicalize_context_raw(const security_context_t con,
321					     security_context_t * canoncon);
322
323/* Get the enforce flag value. */
324extern int security_getenforce(void);
325
326/* Set the enforce flag value. */
327extern int security_setenforce(int value);
328
329/* Get the behavior for undefined classes/permissions */
330extern int security_deny_unknown(void);
331
332/* Disable SELinux at runtime (must be done prior to initial policy load). */
333extern int security_disable(void);
334
335/* Get the policy version number. */
336extern int security_policyvers(void);
337
338/* Get the boolean names */
339extern int security_get_boolean_names(char ***names, int *len);
340
341/* Get the pending value for the boolean */
342extern int security_get_boolean_pending(const char *name);
343
344/* Get the active value for the boolean */
345extern int security_get_boolean_active(const char *name);
346
347/* Set the pending value for the boolean */
348extern int security_set_boolean(const char *name, int value);
349
350/* Commit the pending values for the booleans */
351extern int security_commit_booleans(void);
352
353/* Userspace class mapping support */
354struct security_class_mapping {
355	const char *name;
356	const char *perms[sizeof(access_vector_t) * 8 + 1];
357};
358
359extern int selinux_set_mapping(struct security_class_mapping *map);
360
361/* Common helpers */
362
363/* Convert between mode and security class values */
364extern security_class_t mode_to_security_class(mode_t mode);
365/* Convert between security class values and string names */
366extern security_class_t string_to_security_class(const char *name);
367extern const char *security_class_to_string(security_class_t cls);
368
369/* Convert between individual access vector permissions and string names */
370extern const char *security_av_perm_to_string(security_class_t tclass,
371					      access_vector_t perm);
372extern access_vector_t string_to_av_perm(security_class_t tclass,
373					 const char *name);
374
375/* Returns an access vector in a string representation.  User must free the
376 * returned string via free(). */
377extern int security_av_string(security_class_t tclass,
378			      access_vector_t av, char **result);
379
380/* Display an access vector in a string representation. */
381extern void print_access_vector(security_class_t tclass, access_vector_t av);
382
383/* Set the function used by matchpathcon_init when displaying
384   errors about the file_contexts configuration.  If not set,
385   then this defaults to fprintf(stderr, fmt, ...). */
386extern void set_matchpathcon_printf(void (*f) (const char *fmt, ...));
387
388/* Set the function used by matchpathcon_init when checking the
389   validity of a context in the file contexts configuration.  If not set,
390   then this defaults to a test based on security_check_context().
391   The function is also responsible for reporting any such error, and
392   may include the 'path' and 'lineno' in such error messages. */
393extern void set_matchpathcon_invalidcon(int (*f) (const char *path,
394						  unsigned lineno,
395						  char *context));
396
397/* Same as above, but also allows canonicalization of the context,
398   by changing *context to refer to the canonical form.  If not set,
399   and invalidcon is also not set, then this defaults to calling
400   security_canonicalize_context(). */
401extern void set_matchpathcon_canoncon(int (*f) (const char *path,
402						unsigned lineno,
403						char **context));
404
405/* Set flags controlling operation of matchpathcon_init or matchpathcon. */
406#define MATCHPATHCON_BASEONLY 1	/* Only process the base file_contexts file. */
407#define MATCHPATHCON_NOTRANS  2	/* Do not perform any context translation. */
408#define MATCHPATHCON_VALIDATE 4	/* Validate/canonicalize contexts at init time. */
409extern void set_matchpathcon_flags(unsigned int flags);
410
411/* Load the file contexts configuration specified by 'path'
412   into memory for use by subsequent matchpathcon calls.
413   If 'path' is NULL, then load the active file contexts configuration,
414   i.e. the path returned by selinux_file_context_path().
415   Unless the MATCHPATHCON_BASEONLY flag has been set, this
416   function also checks for a 'path'.homedirs file and
417   a 'path'.local file and loads additional specifications
418   from them if present. */
419extern int matchpathcon_init(const char *path);
420
421/* Same as matchpathcon_init, but only load entries with
422   regexes that have stems that are prefixes of 'prefix'. */
423extern int matchpathcon_init_prefix(const char *path, const char *prefix);
424
425/* Free the memory allocated by matchpathcon_init. */
426extern void matchpathcon_fini(void);
427
428/* Resolve all of the symlinks and relative portions of a pathname, but NOT
429 * the final component (same a realpath() unless the final component is a
430 * symlink.  Resolved path must be a path of size PATH_MAX + 1 */
431extern int realpath_not_final(const char *name, char *resolved_path);
432
433/* Match the specified pathname and mode against the file contexts
434   configuration and set *con to refer to the resulting context.
435   'mode' can be 0 to disable mode matching.
436   Caller must free via freecon.
437   If matchpathcon_init has not already been called, then this function
438   will call it upon its first invocation with a NULL path. */
439extern int matchpathcon(const char *path,
440			mode_t mode, security_context_t * con);
441
442/* Same as above, but return a specification index for
443   later use in a matchpathcon_filespec_add() call - see below. */
444extern int matchpathcon_index(const char *path,
445			      mode_t mode, security_context_t * con);
446
447/* Maintain an association between an inode and a specification index,
448   and check whether a conflicting specification is already associated
449   with the same inode (e.g. due to multiple hard links).  If so, then
450   use the latter of the two specifications based on their order in the
451   file contexts configuration.  Return the used specification index. */
452extern int matchpathcon_filespec_add(ino_t ino, int specind, const char *file);
453
454/* Destroy any inode associations that have been added, e.g. to restart
455   for a new filesystem. */
456extern void matchpathcon_filespec_destroy(void);
457
458/* Display statistics on the hash table usage for the associations. */
459extern void matchpathcon_filespec_eval(void);
460
461/* Check to see whether any specifications had no matches and report them.
462   The 'str' is used as a prefix for any warning messages. */
463extern void matchpathcon_checkmatches(char *str);
464
465/* Match the specified media and against the media contexts
466   configuration and set *con to refer to the resulting context.
467   Caller must free con via freecon. */
468extern int matchmediacon(const char *media, security_context_t * con);
469
470/*
471  selinux_getenforcemode reads the /etc/selinux/config file and determines
472  whether the machine should be started in enforcing (1), permissive (0) or
473  disabled (-1) mode.
474 */
475extern int selinux_getenforcemode(int *enforce);
476
477/*
478  selinux_boolean_sub reads the /etc/selinux/TYPE/booleans.subs_dist file
479  looking for a record with boolean_name.  If a record exists selinux_boolean_sub
480  returns the translated name otherwise it returns the original name.
481  The returned value needs to be freed. On failure NULL will be returned.
482 */
483extern char *selinux_boolean_sub(const char *boolean_name);
484
485/*
486  selinux_getpolicytype reads the /etc/selinux/config file and determines
487  what the default policy for the machine is.  Calling application must
488  free policytype.
489 */
490extern int selinux_getpolicytype(char **policytype);
491
492/*
493  selinux_policy_root reads the /etc/selinux/config file and returns
494  the directory path under which the compiled policy file and context
495  configuration files exist.
496 */
497extern const char *selinux_policy_root(void);
498
499/* These functions return the paths to specific files under the
500   policy root directory. */
501extern const char *selinux_binary_policy_path(void);
502extern const char *selinux_failsafe_context_path(void);
503extern const char *selinux_removable_context_path(void);
504extern const char *selinux_default_context_path(void);
505extern const char *selinux_user_contexts_path(void);
506extern const char *selinux_file_context_path(void);
507extern const char *selinux_file_context_homedir_path(void);
508extern const char *selinux_file_context_local_path(void);
509extern const char *selinux_file_context_subs_path(void);
510extern const char *selinux_file_context_subs_dist_path(void);
511extern const char *selinux_homedir_context_path(void);
512extern const char *selinux_media_context_path(void);
513extern const char *selinux_virtual_domain_context_path(void);
514extern const char *selinux_virtual_image_context_path(void);
515extern const char *selinux_lxc_contexts_path(void);
516extern const char *selinux_x_context_path(void);
517extern const char *selinux_sepgsql_context_path(void);
518extern const char *selinux_contexts_path(void);
519extern const char *selinux_securetty_types_path(void);
520extern const char *selinux_booleans_subs_path(void);
521extern const char *selinux_booleans_path(void);
522extern const char *selinux_customizable_types_path(void);
523extern const char *selinux_users_path(void);
524extern const char *selinux_usersconf_path(void);
525extern const char *selinux_translations_path(void);
526extern const char *selinux_colors_path(void);
527extern const char *selinux_netfilter_context_path(void);
528extern const char *selinux_path(void);
529
530/**
531 * selinux_check_access - Check permissions and perform appropriate auditing.
532 * @scon: source security context
533 * @tcon: target security context
534 * @tclass: target security class string
535 * @perm: requested permissions string, interpreted based on @tclass
536 * @auditdata: auxiliary audit data
537 *
538 * Check the AVC to determine whether the @perm permissions are granted
539 * for the SID pair (@scon, @tcon), interpreting the permissions
540 * based on @tclass.
541 * Return %0 if all @perm permissions are granted, -%1 with
542 * @errno set to %EACCES if any permissions are denied or to another
543 * value upon other errors.
544 * If auditing or logging is configured the appropriate callbacks will be called
545 * and passed the auditdata field
546 */
547extern int selinux_check_access(const security_context_t scon, const security_context_t tcon, const char *tclass, const char *perm, void *auditdata);
548
549/* Check a permission in the passwd class.
550   Return 0 if granted or -1 otherwise. */
551extern int selinux_check_passwd_access(access_vector_t requested);
552extern int checkPasswdAccess(access_vector_t requested);
553
554/* Check if the tty_context is defined as a securetty
555   Return 0 if secure, < 0 otherwise. */
556extern int selinux_check_securetty_context(const security_context_t tty_context);
557
558/* Set the path to the selinuxfs mount point explicitly.
559   Normally, this is determined automatically during libselinux
560   initialization, but this is not always possible, e.g. for /sbin/init
561   which performs the initial mount of selinuxfs. */
562void set_selinuxmnt(const char *mnt);
563
564/* Check if selinuxfs exists as a kernel filesystem */
565int selinuxfs_exists(void);
566
567/* clear selinuxmnt variable and free allocated memory */
568void fini_selinuxmnt(void);
569
570/* Execute a helper for rpm in an appropriate security context. */
571extern int rpm_execcon(unsigned int verified,
572		       const char *filename,
573		       char *const argv[], char *const envp[]);
574
575/* Returns whether a file context is customizable, and should not
576   be relabeled . */
577extern int is_context_customizable(const security_context_t scontext);
578
579/* Perform context translation between the human-readable format
580   ("translated") and the internal system format ("raw").
581   Caller must free the resulting context via freecon.
582   Returns -1 upon an error or 0 otherwise.
583   If passed NULL, sets the returned context to NULL and returns 0. */
584extern int selinux_trans_to_raw_context(const security_context_t trans,
585					security_context_t * rawp);
586extern int selinux_raw_to_trans_context(const security_context_t raw,
587					security_context_t * transp);
588
589/* Perform context translation between security contexts
590   and display colors.  Returns a space-separated list of ten
591   ten hex RGB triples prefixed by hash marks, e.g. "#ff0000".
592   Caller must free the resulting string via free.
593   Returns -1 upon an error or 0 otherwise. */
594extern int selinux_raw_context_to_color(const security_context_t raw,
595					char **color_str);
596
597/* Get the SELinux username and level to use for a given Linux username.
598   These values may then be passed into the get_ordered_context_list*
599   and get_default_context* functions to obtain a context for the user.
600   Returns 0 on success or -1 otherwise.
601   Caller must free the returned strings via free. */
602extern int getseuserbyname(const char *linuxuser, char **seuser, char **level);
603
604/* Get the SELinux username and level to use for a given Linux username and service.
605   These values may then be passed into the get_ordered_context_list*
606   and get_default_context* functions to obtain a context for the user.
607   Returns 0 on success or -1 otherwise.
608   Caller must free the returned strings via free. */
609extern int getseuser(const char *username, const char *service,
610		     char **r_seuser, char **r_level);
611
612/* Compare two file contexts, return 0 if equivalent. */
613extern int selinux_file_context_cmp(const security_context_t a,
614			     const security_context_t b);
615
616/*
617 * Verify the context of the file 'path' against policy.
618 * Return 1 if match, 0 if not and -1 on error.
619 */
620extern int selinux_file_context_verify(const char *path, mode_t mode);
621
622/* This function sets the file context on to the system defaults returns 0 on success */
623extern int selinux_lsetfilecon_default(const char *path);
624
625/*
626 * Force a reset of the loaded configuration
627 * WARNING: This is not thread safe. Be very sure that no other threads
628 * are calling into libselinux when this is called.
629 */
630extern void selinux_reset_config(void);
631
632#ifdef __cplusplus
633}
634#endif
635#endif
636