selinux.h revision 13b599d7b80c1464683f66a1e93e02b984d94c1d
1#ifndef _SELINUX_H_ 2#define _SELINUX_H_ 3 4#include <sys/types.h> 5#include <stdarg.h> 6 7#ifdef __cplusplus 8extern "C" { 9#endif 10 11/* Return 1 if we are running on a SELinux kernel, or 0 if not or -1 if we get an error. */ 12extern int is_selinux_enabled(void); 13/* Return 1 if we are running on a SELinux MLS kernel, or 0 otherwise. */ 14extern int is_selinux_mls_enabled(void); 15 16typedef char *security_context_t; 17 18/* Free the memory allocated for a context by any of the below get* calls. */ 19extern void freecon(security_context_t con); 20 21/* Free the memory allocated for a context array by security_compute_user. */ 22extern void freeconary(security_context_t * con); 23 24/* Wrappers for the /proc/pid/attr API. */ 25 26/* Get current context, and set *con to refer to it. 27 Caller must free via freecon. */ 28extern int getcon(security_context_t * con); 29extern int getcon_raw(security_context_t * con); 30 31/* Set the current security context to con. 32 Note that use of this function requires that the entire application 33 be trusted to maintain any desired separation between the old and new 34 security contexts, unlike exec-based transitions performed via setexeccon. 35 When possible, decompose your application and use setexeccon()+execve() 36 instead. Note that the application may lose access to its open descriptors 37 as a result of a setcon() unless policy allows it to use descriptors opened 38 by the old context. */ 39extern int setcon(const security_context_t con); 40extern int setcon_raw(const security_context_t con); 41 42/* Get context of process identified by pid, and 43 set *con to refer to it. Caller must free via freecon. */ 44extern int getpidcon(pid_t pid, security_context_t * con); 45extern int getpidcon_raw(pid_t pid, security_context_t * con); 46 47/* Get previous context (prior to last exec), and set *con to refer to it. 48 Caller must free via freecon. */ 49extern int getprevcon(security_context_t * con); 50extern int getprevcon_raw(security_context_t * con); 51 52/* Get exec context, and set *con to refer to it. 53 Sets *con to NULL if no exec context has been set, i.e. using default. 54 If non-NULL, caller must free via freecon. */ 55extern int getexeccon(security_context_t * con); 56extern int getexeccon_raw(security_context_t * con); 57 58/* Set exec security context for the next execve. 59 Call with NULL if you want to reset to the default. */ 60extern int setexeccon(const security_context_t con); 61extern int setexeccon_raw(const security_context_t con); 62 63/* Get fscreate context, and set *con to refer to it. 64 Sets *con to NULL if no fs create context has been set, i.e. using default. 65 If non-NULL, caller must free via freecon. */ 66extern int getfscreatecon(security_context_t * con); 67extern int getfscreatecon_raw(security_context_t * con); 68 69/* Set the fscreate security context for subsequent file creations. 70 Call with NULL if you want to reset to the default. */ 71extern int setfscreatecon(const security_context_t context); 72extern int setfscreatecon_raw(const security_context_t context); 73 74/* Get keycreate context, and set *con to refer to it. 75 Sets *con to NULL if no key create context has been set, i.e. using default. 76 If non-NULL, caller must free via freecon. */ 77extern int getkeycreatecon(security_context_t * con); 78extern int getkeycreatecon_raw(security_context_t * con); 79 80/* Set the keycreate security context for subsequent key creations. 81 Call with NULL if you want to reset to the default. */ 82extern int setkeycreatecon(const security_context_t context); 83extern int setkeycreatecon_raw(const security_context_t context); 84 85/* Get sockcreate context, and set *con to refer to it. 86 Sets *con to NULL if no socket create context has been set, i.e. using default. 87 If non-NULL, caller must free via freecon. */ 88extern int getsockcreatecon(security_context_t * con); 89extern int getsockcreatecon_raw(security_context_t * con); 90 91/* Set the sockcreate security context for subsequent socket creations. 92 Call with NULL if you want to reset to the default. */ 93extern int setsockcreatecon(const security_context_t context); 94extern int setsockcreatecon_raw(const security_context_t context); 95 96/* Wrappers for the xattr API. */ 97 98/* Get file context, and set *con to refer to it. 99 Caller must free via freecon. */ 100extern int getfilecon(const char *path, security_context_t * con); 101extern int getfilecon_raw(const char *path, security_context_t * con); 102extern int lgetfilecon(const char *path, security_context_t * con); 103extern int lgetfilecon_raw(const char *path, security_context_t * con); 104extern int fgetfilecon(int fd, security_context_t * con); 105extern int fgetfilecon_raw(int fd, security_context_t * con); 106 107/* Set file context */ 108extern int setfilecon(const char *path, security_context_t con); 109extern int setfilecon_raw(const char *path, security_context_t con); 110extern int lsetfilecon(const char *path, security_context_t con); 111extern int lsetfilecon_raw(const char *path, security_context_t con); 112extern int fsetfilecon(int fd, security_context_t con); 113extern int fsetfilecon_raw(int fd, security_context_t con); 114 115/* Wrappers for the socket API */ 116 117/* Get context of peer socket, and set *con to refer to it. 118 Caller must free via freecon. */ 119extern int getpeercon(int fd, security_context_t * con); 120extern int getpeercon_raw(int fd, security_context_t * con); 121 122/* Wrappers for the selinuxfs (policy) API. */ 123 124typedef unsigned int access_vector_t; 125typedef unsigned short security_class_t; 126 127struct av_decision { 128 access_vector_t allowed; 129 access_vector_t decided; 130 access_vector_t auditallow; 131 access_vector_t auditdeny; 132 unsigned int seqno; 133 unsigned int flags; 134}; 135 136/* Definitions of av_decision.flags */ 137#define SELINUX_AVD_FLAGS_PERMISSIVE 0x0001 138 139/* Structure for passing options, used by AVC and label subsystems */ 140struct selinux_opt { 141 int type; 142 const char *value; 143}; 144 145/* Callback facilities */ 146union selinux_callback { 147 /* log the printf-style format and arguments, 148 with the type code indicating the type of message */ 149 int 150#ifdef __GNUC__ 151__attribute__ ((format(printf, 2, 3))) 152#endif 153 (*func_log) (int type, const char *fmt, ...); 154 /* store a string representation of auditdata (corresponding 155 to the given security class) into msgbuf. */ 156 int (*func_audit) (void *auditdata, security_class_t cls, 157 char *msgbuf, size_t msgbufsize); 158 /* validate the supplied context, modifying if necessary */ 159 int (*func_validate) (security_context_t *ctx); 160 /* netlink callback for setenforce message */ 161 int (*func_setenforce) (int enforcing); 162 /* netlink callback for policyload message */ 163 int (*func_policyload) (int seqno); 164}; 165 166#define SELINUX_CB_LOG 0 167#define SELINUX_CB_AUDIT 1 168#define SELINUX_CB_VALIDATE 2 169#define SELINUX_CB_SETENFORCE 3 170#define SELINUX_CB_POLICYLOAD 4 171 172extern union selinux_callback selinux_get_callback(int type); 173extern void selinux_set_callback(int type, union selinux_callback cb); 174 175 /* Logging type codes, passed to the logging callback */ 176#define SELINUX_ERROR 0 177#define SELINUX_WARNING 1 178#define SELINUX_INFO 2 179#define SELINUX_AVC 3 180 181/* Compute an access decision. */ 182extern int security_compute_av(const security_context_t scon, 183 const security_context_t tcon, 184 security_class_t tclass, 185 access_vector_t requested, 186 struct av_decision *avd); 187extern int security_compute_av_raw(const security_context_t scon, 188 const security_context_t tcon, 189 security_class_t tclass, 190 access_vector_t requested, 191 struct av_decision *avd); 192 193extern int security_compute_av_flags(const security_context_t scon, 194 const security_context_t tcon, 195 security_class_t tclass, 196 access_vector_t requested, 197 struct av_decision *avd); 198extern int security_compute_av_flags_raw(const security_context_t scon, 199 const security_context_t tcon, 200 security_class_t tclass, 201 access_vector_t requested, 202 struct av_decision *avd); 203 204/* Compute a labeling decision and set *newcon to refer to it. 205 Caller must free via freecon. */ 206extern int security_compute_create(const security_context_t scon, 207 const security_context_t tcon, 208 security_class_t tclass, 209 security_context_t * newcon); 210extern int security_compute_create_raw(const security_context_t scon, 211 const security_context_t tcon, 212 security_class_t tclass, 213 security_context_t * newcon); 214extern int security_compute_create_name(const security_context_t scon, 215 const security_context_t tcon, 216 security_class_t tclass, 217 const char *objname, 218 security_context_t * newcon); 219extern int security_compute_create_name_raw(const security_context_t scon, 220 const security_context_t tcon, 221 security_class_t tclass, 222 const char *objname, 223 security_context_t * newcon); 224 225/* Compute a relabeling decision and set *newcon to refer to it. 226 Caller must free via freecon. */ 227extern int security_compute_relabel(const security_context_t scon, 228 const security_context_t tcon, 229 security_class_t tclass, 230 security_context_t * newcon); 231extern int security_compute_relabel_raw(const security_context_t scon, 232 const security_context_t tcon, 233 security_class_t tclass, 234 security_context_t * newcon); 235 236/* Compute a polyinstantiation member decision and set *newcon to refer to it. 237 Caller must free via freecon. */ 238extern int security_compute_member(const security_context_t scon, 239 const security_context_t tcon, 240 security_class_t tclass, 241 security_context_t * newcon); 242extern int security_compute_member_raw(const security_context_t scon, 243 const security_context_t tcon, 244 security_class_t tclass, 245 security_context_t * newcon); 246 247/* Compute the set of reachable user contexts and set *con to refer to 248 the NULL-terminated array of contexts. Caller must free via freeconary. */ 249extern int security_compute_user(const security_context_t scon, 250 const char *username, 251 security_context_t ** con); 252extern int security_compute_user_raw(const security_context_t scon, 253 const char *username, 254 security_context_t ** con); 255 256/* Load a policy configuration. */ 257extern int security_load_policy(void *data, size_t len); 258 259/* Get the context of an initial kernel security identifier by name. 260 Caller must free via freecon */ 261extern int security_get_initial_context(const char *name, 262 security_context_t * con); 263extern int security_get_initial_context_raw(const char *name, 264 security_context_t * con); 265 266/* 267 * Make a policy image and load it. 268 * This function provides a higher level interface for loading policy 269 * than security_load_policy, internally determining the right policy 270 * version, locating and opening the policy file, mapping it into memory, 271 * manipulating it as needed for current boolean settings and/or local 272 * definitions, and then calling security_load_policy to load it. 273 * 274 * 'preservebools' is a boolean flag indicating whether current 275 * policy boolean values should be preserved into the new policy (if 1) 276 * or reset to the saved policy settings (if 0). The former case is the 277 * default for policy reloads, while the latter case is an option for policy 278 * reloads but is primarily for the initial policy load. 279 */ 280extern int selinux_mkload_policy(int preservebools); 281 282/* 283 * Perform the initial policy load. 284 * This function determines the desired enforcing mode, sets the 285 * the *enforce argument accordingly for the caller to use, sets the 286 * SELinux kernel enforcing status to match it, and loads the policy. 287 * It also internally handles the initial selinuxfs mount required to 288 * perform these actions. 289 * 290 * The function returns 0 if everything including the policy load succeeds. 291 * In this case, init is expected to re-exec itself in order to transition 292 * to the proper security context. 293 * Otherwise, the function returns -1, and init must check *enforce to 294 * determine how to proceed. If enforcing (*enforce > 0), then init should 295 * halt the system. Otherwise, init may proceed normally without a re-exec. 296 */ 297extern int selinux_init_load_policy(int *enforce); 298 299/* Translate boolean strict to name value pair. */ 300typedef struct { 301 char *name; 302 int value; 303} SELboolean; 304/* save a list of booleans in a single transaction. */ 305extern int security_set_boolean_list(size_t boolcnt, 306 SELboolean * boollist, int permanent); 307 308/* Load policy boolean settings. 309 Path may be NULL, in which case the booleans are loaded from 310 the active policy boolean configuration file. */ 311extern int security_load_booleans(char *path); 312 313/* Check the validity of a security context. */ 314extern int security_check_context(const security_context_t con); 315extern int security_check_context_raw(const security_context_t con); 316 317/* Canonicalize a security context. */ 318extern int security_canonicalize_context(const security_context_t con, 319 security_context_t * canoncon); 320extern int security_canonicalize_context_raw(const security_context_t con, 321 security_context_t * canoncon); 322 323/* Get the enforce flag value. */ 324extern int security_getenforce(void); 325 326/* Set the enforce flag value. */ 327extern int security_setenforce(int value); 328 329/* Get the behavior for undefined classes/permissions */ 330extern int security_deny_unknown(void); 331 332/* Disable SELinux at runtime (must be done prior to initial policy load). */ 333extern int security_disable(void); 334 335/* Get the policy version number. */ 336extern int security_policyvers(void); 337 338/* Get the boolean names */ 339extern int security_get_boolean_names(char ***names, int *len); 340 341/* Get the pending value for the boolean */ 342extern int security_get_boolean_pending(const char *name); 343 344/* Get the active value for the boolean */ 345extern int security_get_boolean_active(const char *name); 346 347/* Set the pending value for the boolean */ 348extern int security_set_boolean(const char *name, int value); 349 350/* Commit the pending values for the booleans */ 351extern int security_commit_booleans(void); 352 353/* Userspace class mapping support */ 354struct security_class_mapping { 355 const char *name; 356 const char *perms[sizeof(access_vector_t) * 8 + 1]; 357}; 358 359extern int selinux_set_mapping(struct security_class_mapping *map); 360 361/* Common helpers */ 362 363/* Convert between mode and security class values */ 364extern security_class_t mode_to_security_class(mode_t mode); 365/* Convert between security class values and string names */ 366extern security_class_t string_to_security_class(const char *name); 367extern const char *security_class_to_string(security_class_t cls); 368 369/* Convert between individual access vector permissions and string names */ 370extern const char *security_av_perm_to_string(security_class_t tclass, 371 access_vector_t perm); 372extern access_vector_t string_to_av_perm(security_class_t tclass, 373 const char *name); 374 375/* Returns an access vector in a string representation. User must free the 376 * returned string via free(). */ 377extern int security_av_string(security_class_t tclass, 378 access_vector_t av, char **result); 379 380/* Display an access vector in a string representation. */ 381extern void print_access_vector(security_class_t tclass, access_vector_t av); 382 383/* Set the function used by matchpathcon_init when displaying 384 errors about the file_contexts configuration. If not set, 385 then this defaults to fprintf(stderr, fmt, ...). */ 386extern void set_matchpathcon_printf(void (*f) (const char *fmt, ...)); 387 388/* Set the function used by matchpathcon_init when checking the 389 validity of a context in the file contexts configuration. If not set, 390 then this defaults to a test based on security_check_context(). 391 The function is also responsible for reporting any such error, and 392 may include the 'path' and 'lineno' in such error messages. */ 393extern void set_matchpathcon_invalidcon(int (*f) (const char *path, 394 unsigned lineno, 395 char *context)); 396 397/* Same as above, but also allows canonicalization of the context, 398 by changing *context to refer to the canonical form. If not set, 399 and invalidcon is also not set, then this defaults to calling 400 security_canonicalize_context(). */ 401extern void set_matchpathcon_canoncon(int (*f) (const char *path, 402 unsigned lineno, 403 char **context)); 404 405/* Set flags controlling operation of matchpathcon_init or matchpathcon. */ 406#define MATCHPATHCON_BASEONLY 1 /* Only process the base file_contexts file. */ 407#define MATCHPATHCON_NOTRANS 2 /* Do not perform any context translation. */ 408#define MATCHPATHCON_VALIDATE 4 /* Validate/canonicalize contexts at init time. */ 409extern void set_matchpathcon_flags(unsigned int flags); 410 411/* Load the file contexts configuration specified by 'path' 412 into memory for use by subsequent matchpathcon calls. 413 If 'path' is NULL, then load the active file contexts configuration, 414 i.e. the path returned by selinux_file_context_path(). 415 Unless the MATCHPATHCON_BASEONLY flag has been set, this 416 function also checks for a 'path'.homedirs file and 417 a 'path'.local file and loads additional specifications 418 from them if present. */ 419extern int matchpathcon_init(const char *path); 420 421/* Same as matchpathcon_init, but only load entries with 422 regexes that have stems that are prefixes of 'prefix'. */ 423extern int matchpathcon_init_prefix(const char *path, const char *prefix); 424 425/* Free the memory allocated by matchpathcon_init. */ 426extern void matchpathcon_fini(void); 427 428/* Resolve all of the symlinks and relative portions of a pathname, but NOT 429 * the final component (same a realpath() unless the final component is a 430 * symlink. Resolved path must be a path of size PATH_MAX + 1 */ 431extern int realpath_not_final(const char *name, char *resolved_path); 432 433/* Match the specified pathname and mode against the file contexts 434 configuration and set *con to refer to the resulting context. 435 'mode' can be 0 to disable mode matching. 436 Caller must free via freecon. 437 If matchpathcon_init has not already been called, then this function 438 will call it upon its first invocation with a NULL path. */ 439extern int matchpathcon(const char *path, 440 mode_t mode, security_context_t * con); 441 442/* Same as above, but return a specification index for 443 later use in a matchpathcon_filespec_add() call - see below. */ 444extern int matchpathcon_index(const char *path, 445 mode_t mode, security_context_t * con); 446 447/* Maintain an association between an inode and a specification index, 448 and check whether a conflicting specification is already associated 449 with the same inode (e.g. due to multiple hard links). If so, then 450 use the latter of the two specifications based on their order in the 451 file contexts configuration. Return the used specification index. */ 452extern int matchpathcon_filespec_add(ino_t ino, int specind, const char *file); 453 454/* Destroy any inode associations that have been added, e.g. to restart 455 for a new filesystem. */ 456extern void matchpathcon_filespec_destroy(void); 457 458/* Display statistics on the hash table usage for the associations. */ 459extern void matchpathcon_filespec_eval(void); 460 461/* Check to see whether any specifications had no matches and report them. 462 The 'str' is used as a prefix for any warning messages. */ 463extern void matchpathcon_checkmatches(char *str); 464 465/* Match the specified media and against the media contexts 466 configuration and set *con to refer to the resulting context. 467 Caller must free con via freecon. */ 468extern int matchmediacon(const char *media, security_context_t * con); 469 470/* 471 selinux_getenforcemode reads the /etc/selinux/config file and determines 472 whether the machine should be started in enforcing (1), permissive (0) or 473 disabled (-1) mode. 474 */ 475extern int selinux_getenforcemode(int *enforce); 476 477/* 478 selinux_boolean_sub reads the /etc/selinux/TYPE/booleans.subs_dist file 479 looking for a record with boolean_name. If a record exists selinux_boolean_sub 480 returns the translated name otherwise it returns the original name. 481 The returned value needs to be freed. On failure NULL will be returned. 482 */ 483extern char *selinux_boolean_sub(const char *boolean_name); 484 485/* 486 selinux_getpolicytype reads the /etc/selinux/config file and determines 487 what the default policy for the machine is. Calling application must 488 free policytype. 489 */ 490extern int selinux_getpolicytype(char **policytype); 491 492/* 493 selinux_policy_root reads the /etc/selinux/config file and returns 494 the directory path under which the compiled policy file and context 495 configuration files exist. 496 */ 497extern const char *selinux_policy_root(void); 498 499/* These functions return the paths to specific files under the 500 policy root directory. */ 501extern const char *selinux_binary_policy_path(void); 502extern const char *selinux_failsafe_context_path(void); 503extern const char *selinux_removable_context_path(void); 504extern const char *selinux_default_context_path(void); 505extern const char *selinux_user_contexts_path(void); 506extern const char *selinux_file_context_path(void); 507extern const char *selinux_file_context_homedir_path(void); 508extern const char *selinux_file_context_local_path(void); 509extern const char *selinux_file_context_subs_path(void); 510extern const char *selinux_file_context_subs_dist_path(void); 511extern const char *selinux_homedir_context_path(void); 512extern const char *selinux_media_context_path(void); 513extern const char *selinux_virtual_domain_context_path(void); 514extern const char *selinux_virtual_image_context_path(void); 515extern const char *selinux_lxc_contexts_path(void); 516extern const char *selinux_x_context_path(void); 517extern const char *selinux_sepgsql_context_path(void); 518extern const char *selinux_contexts_path(void); 519extern const char *selinux_securetty_types_path(void); 520extern const char *selinux_booleans_subs_path(void); 521extern const char *selinux_booleans_path(void); 522extern const char *selinux_customizable_types_path(void); 523extern const char *selinux_users_path(void); 524extern const char *selinux_usersconf_path(void); 525extern const char *selinux_translations_path(void); 526extern const char *selinux_colors_path(void); 527extern const char *selinux_netfilter_context_path(void); 528extern const char *selinux_path(void); 529 530/** 531 * selinux_check_access - Check permissions and perform appropriate auditing. 532 * @scon: source security context 533 * @tcon: target security context 534 * @tclass: target security class string 535 * @perm: requested permissions string, interpreted based on @tclass 536 * @auditdata: auxiliary audit data 537 * 538 * Check the AVC to determine whether the @perm permissions are granted 539 * for the SID pair (@scon, @tcon), interpreting the permissions 540 * based on @tclass. 541 * Return %0 if all @perm permissions are granted, -%1 with 542 * @errno set to %EACCES if any permissions are denied or to another 543 * value upon other errors. 544 * If auditing or logging is configured the appropriate callbacks will be called 545 * and passed the auditdata field 546 */ 547extern int selinux_check_access(const security_context_t scon, const security_context_t tcon, const char *tclass, const char *perm, void *auditdata); 548 549/* Check a permission in the passwd class. 550 Return 0 if granted or -1 otherwise. */ 551extern int selinux_check_passwd_access(access_vector_t requested); 552extern int checkPasswdAccess(access_vector_t requested); 553 554/* Check if the tty_context is defined as a securetty 555 Return 0 if secure, < 0 otherwise. */ 556extern int selinux_check_securetty_context(const security_context_t tty_context); 557 558/* Set the path to the selinuxfs mount point explicitly. 559 Normally, this is determined automatically during libselinux 560 initialization, but this is not always possible, e.g. for /sbin/init 561 which performs the initial mount of selinuxfs. */ 562void set_selinuxmnt(const char *mnt); 563 564/* Check if selinuxfs exists as a kernel filesystem */ 565int selinuxfs_exists(void); 566 567/* clear selinuxmnt variable and free allocated memory */ 568void fini_selinuxmnt(void); 569 570/* Execute a helper for rpm in an appropriate security context. */ 571extern int rpm_execcon(unsigned int verified, 572 const char *filename, 573 char *const argv[], char *const envp[]); 574 575/* Returns whether a file context is customizable, and should not 576 be relabeled . */ 577extern int is_context_customizable(const security_context_t scontext); 578 579/* Perform context translation between the human-readable format 580 ("translated") and the internal system format ("raw"). 581 Caller must free the resulting context via freecon. 582 Returns -1 upon an error or 0 otherwise. 583 If passed NULL, sets the returned context to NULL and returns 0. */ 584extern int selinux_trans_to_raw_context(const security_context_t trans, 585 security_context_t * rawp); 586extern int selinux_raw_to_trans_context(const security_context_t raw, 587 security_context_t * transp); 588 589/* Perform context translation between security contexts 590 and display colors. Returns a space-separated list of ten 591 ten hex RGB triples prefixed by hash marks, e.g. "#ff0000". 592 Caller must free the resulting string via free. 593 Returns -1 upon an error or 0 otherwise. */ 594extern int selinux_raw_context_to_color(const security_context_t raw, 595 char **color_str); 596 597/* Get the SELinux username and level to use for a given Linux username. 598 These values may then be passed into the get_ordered_context_list* 599 and get_default_context* functions to obtain a context for the user. 600 Returns 0 on success or -1 otherwise. 601 Caller must free the returned strings via free. */ 602extern int getseuserbyname(const char *linuxuser, char **seuser, char **level); 603 604/* Get the SELinux username and level to use for a given Linux username and service. 605 These values may then be passed into the get_ordered_context_list* 606 and get_default_context* functions to obtain a context for the user. 607 Returns 0 on success or -1 otherwise. 608 Caller must free the returned strings via free. */ 609extern int getseuser(const char *username, const char *service, 610 char **r_seuser, char **r_level); 611 612/* Compare two file contexts, return 0 if equivalent. */ 613extern int selinux_file_context_cmp(const security_context_t a, 614 const security_context_t b); 615 616/* 617 * Verify the context of the file 'path' against policy. 618 * Return 1 if match, 0 if not and -1 on error. 619 */ 620extern int selinux_file_context_verify(const char *path, mode_t mode); 621 622/* This function sets the file context on to the system defaults returns 0 on success */ 623extern int selinux_lsetfilecon_default(const char *path); 624 625/* 626 * Force a reset of the loaded configuration 627 * WARNING: This is not thread safe. Be very sure that no other threads 628 * are calling into libselinux when this is called. 629 */ 630extern void selinux_reset_config(void); 631 632#ifdef __cplusplus 633} 634#endif 635#endif 636