Back to main site | Back to man page index

selabel_x(5)                                  SELinux API documentation                                  selabel_x(5)



NAME
       selabel_x  -  userspace  SELinux labeling interface and configuration file format for the X Window System con‐
       texts backend. This backend is also used to determine the default context for labeling  remotely  connected  X
       clients

SYNOPSIS
       #include <selinux/label.h>

       int selabel_lookup(struct selabel_handle *hnd,
                          char **context,
                          const char *object_name, int object_type);

       int selabel_lookup_raw(struct selabel_handle *hnd,
                          char **context,
                          const char *object_name, int object_type);

DESCRIPTION
       The  X  contexts backend maps from X Window System object names into security contexts. It is used to find the
       appropriate context for X Window System objects whose significance and/or usage semantics are determined  pri‐
       marily by name. The returned context must be freed using freecon(3).
       selabel_lookup(3) describes the function with its return and error codes.

       This backend is also used to determine the default context for labeling remotely connected X clients.

       The object_type argument should be set to one of the following values:

              SELABEL_X_PROP
                     The object_name argument specifies the name of a window property, such as "WM_NAME".

              SELABEL_X_SELN
                     The object_name argument specifies the name of a selection, such as "PRIMARY".

              SELABEL_X_EXT
                     The object_name argument specifies the name of a protocol extension, such as "RENDER".

              SELABEL_X_EVENT
                     The object_name argument specifies the name of an event type, such as "X11:ButtonPress".

              SELABEL_X_CLIENT
                     The object_name argument is ignored, however it should be set to either * (an asterisk or 'wild‐
                     card' that will select the default entry) or a specific entry such as "remote" in the X contexts
                     file  as shown in the EXAMPLE section. The default context for labeling remote X clients is then
                     returned.

              SELABEL_X_POLYPROP
                     Like SELABEL_X_PROP, but checks if the property was marked as being polyinstantiated. See  NOTES
                     below.

              SELABEL_X_POLYSELN
                     Like SELABEL_X_SELN, but checks if the selection was marked as being polyinstantiated. See NOTES
                     below.

       Any messages generated by selabel_lookup(3) are sent to stderr by default, although this  can  be  changed  by
       selinux_set_callback(3).

       selabel_lookup_raw behaves identically to selabel_lookup but does not perform context translation.
       selabel_open(3).  If  NULL, then the SELABEL_OPT_PATH value will default to the active policy X contexts loca‐
       tion (as returned by selinux_x_context_path(3)), otherwise the  actual  SELABEL_OPT_PATH  value  specified  is
       used.

       The default X object contexts file is:
              /etc/selinux/{SELINUXTYPE}/contexts/x_contexts

       Where {SELINUXTYPE} is the entry from the selinux configuration file config (see selinux_config(5)).

       The entries within the X contexts file are shown in the Object Name String Values and FILE FORMAT sections.

Object Name String Values
       The string name assigned to each object_type argument that can be present in the X contexts file are:

                                           ┌───────────────────┬────────────────┐
                                           │object_type        │ Text Name      │
                                           ├───────────────────┼────────────────┤
                                           │SELABEL_X_PROP     │ property       │
                                           ├───────────────────┼────────────────┤
                                           │SELABEL_X_SELN     │ selection      │
                                           ├───────────────────┼────────────────┤
                                           │SELABEL_X_EXT      │ extension      │
                                           ├───────────────────┼────────────────┤
                                           │SELABEL_X_EVENT    │ event          │
                                           ├───────────────────┼────────────────┤
                                           │SELABEL_X_CLIENT   │ client         │
                                           ├───────────────────┼────────────────┤
                                           │SELABEL_X_POLYPROP │ poly_property  │
                                           ├───────────────────┼────────────────┤
                                           │SELABEL_X_POLYSELN │ poly_selection │
                                           └───────────────────┴────────────────┘
FILE FORMAT
       Each line within the X contexts file is as follows:
              object_type object_name context

       Where:
              object_type
                     This is the string representation of the object type shown in the Object Name String Values sec‐
                     tion.  There can be multiple lines with the same object_type string that will form  a  block  of
                     entries (each with a different object_name entry).
              object_name
                     These  are  the object names of the specific X-server resource such as PRIMARY, CUT_BUFFER0 etc.
                     They are generally defined in the X-server source code (protocol.txt and BuiltInAtoms in the dix
                     directory  of  the xorg-server source package).  The entry can contain '*' for wildcard matching
                     or '?' for substitution.  Note that if the '*' is used, then be aware that the order of  entries
                     in  the  file  is  important. The '*' on its own is used to ensure a default fallback context is
                     assigned and should be the last entry in the object_type block.
              context
                     The security context that will be applied to the object.

       Example 1:

       # object_type  object_name  context
       selection      PRIMARY      system_u:object_r:clipboard_xselection_t:s0

       2.  If  contexts  are  to be validated, then the global option SELABEL_OPT_VALIDATE must be set before calling
           selabel_open(3). If this is not set, then it is possible for an invalid context to be returned.

SEE ALSO
       selinux(8), selabel_open(3), selabel_lookup(3), selabel_stats(3), selabel_close(3), selinux_set_callback(3),
       selinux_x_context_path(3), freecon(3), selinux_config(5)



Security Enhanced Linux                              29 Nov 2011                                         selabel_x(5)