security_getenforce, security_setenforce, security_deny_unknown,
security_reject_unknown, security_get_checkreqprot - get or set the enforcing
state of SELinux
#include <selinux/selinux.h>
int security_getenforce(void);
int security_setenforce(int value);
int security_deny_unknown(void);
int security_reject_unknown(void);
int security_get_checkreqprot(void);
security_getenforce() returns 0 if SELinux is running in permissive mode,
1 if it is running in enforcing mode, and -1 on error.
security_setenforce() sets SELinux to enforcing mode if the value 1 is
passed in, and sets it to permissive mode if 0 is passed in. On success 0 is
returned, on error -1 is returned.
security_deny_unknown() returns 0 if SELinux treats policy queries on
undefined object classes or permissions as being allowed, 1 if such queries
are denied, and -1 on error.
security_reject_unknown() returns 1 if the current policy was built with
handle-unknown=reject and SELinux would reject loading it, if it did not
define all kernel object classes and permissions. In this state, when
selinux_set_mapping() and
selinux_check_access() are used with
an undefined userspace class or permission, an error is returned and errno is
set to EINVAL.
It returns 0 if the current policy was built with handle-unknown=allow or
handle-unknown=deny. In this state, policy queries are treated according to
security_deny_unknown(). -1 is returned on error.
security_get_checkreqprot() can be used to determine whether SELinux is
configured to check the protection requested by the application or the actual
protection that will be applied by the kernel (including the effects of
READ_IMPLIES_EXEC) on mmap and mprotect calls. It returns 0 if SELinux checks
the actual protection, 1 if it checks the requested protection, and -1 on
error.
selinux(8)