const Enforcing … const Permissive … const Disabled … const maxCategory … const DefaultCategoryRange … var ErrMCSAlreadyExists … var ErrEmptyPath … var ErrInvalidLabel … var InvalidLabel … var ErrIncomparable … var ErrLevelSyntax … var ErrContextMissing … var ErrVerifierNil … var CategoryRange … var privContainerMountLabel … type Context … // SetDisabled disables SELinux support for the package func SetDisabled() { … } // GetEnabled returns whether SELinux is currently enabled. func GetEnabled() bool { … } // ClassIndex returns the int index for an object class in the loaded policy, // or -1 and an error func ClassIndex(class string) (int, error) { … } // SetFileLabel sets the SELinux label for this path, following symlinks, // or returns an error. func SetFileLabel(fpath string, label string) error { … } // LsetFileLabel sets the SELinux label for this path, not following symlinks, // or returns an error. func LsetFileLabel(fpath string, label string) error { … } // FileLabel returns the SELinux label for this path, following symlinks, // or returns an error. func FileLabel(fpath string) (string, error) { … } // LfileLabel returns the SELinux label for this path, not following symlinks, // or returns an error. func LfileLabel(fpath string) (string, error) { … } // SetFSCreateLabel tells the kernel what label to use for all file system objects // created by this task. // Set the label to an empty string to return to the default label. Calls to SetFSCreateLabel // should be wrapped in runtime.LockOSThread()/runtime.UnlockOSThread() until file system // objects created by this task are finished to guarantee another goroutine does not migrate // to the current thread before execution is complete. func SetFSCreateLabel(label string) error { … } // FSCreateLabel returns the default label the kernel which the kernel is using // for file system objects created by this task. "" indicates default. func FSCreateLabel() (string, error) { … } // CurrentLabel returns the SELinux label of the current process thread, or an error. func CurrentLabel() (string, error) { … } // PidLabel returns the SELinux label of the given pid, or an error. func PidLabel(pid int) (string, error) { … } // ExecLabel returns the SELinux label that the kernel will use for any programs // that are executed by the current process thread, or an error. func ExecLabel() (string, error) { … } // CanonicalizeContext takes a context string and writes it to the kernel // the function then returns the context that the kernel will use. Use this // function to check if two contexts are equivalent func CanonicalizeContext(val string) (string, error) { … } // ComputeCreateContext requests the type transition from source to target for // class from the kernel. func ComputeCreateContext(source string, target string, class string) (string, error) { … } // CalculateGlbLub computes the glb (greatest lower bound) and lub (least upper bound) // of a source and target range. // The glblub is calculated as the greater of the low sensitivities and // the lower of the high sensitivities and the and of each category bitset. func CalculateGlbLub(sourceRange, targetRange string) (string, error) { … } // SetExecLabel sets the SELinux label that the kernel will use for any programs // that are executed by the current process thread, or an error. Calls to SetExecLabel // should be wrapped in runtime.LockOSThread()/runtime.UnlockOSThread() until execution // of the program is finished to guarantee another goroutine does not migrate to the current // thread before execution is complete. func SetExecLabel(label string) error { … } // SetTaskLabel sets the SELinux label for the current thread, or an error. // This requires the dyntransition permission. Calls to SetTaskLabel should // be wrapped in runtime.LockOSThread()/runtime.UnlockOSThread() to guarantee // the current thread does not run in a new mislabeled thread. func SetTaskLabel(label string) error { … } // SetSocketLabel takes a process label and tells the kernel to assign the // label to the next socket that gets created. Calls to SetSocketLabel // should be wrapped in runtime.LockOSThread()/runtime.UnlockOSThread() until // the socket is created to guarantee another goroutine does not migrate // to the current thread before execution is complete. func SetSocketLabel(label string) error { … } // SocketLabel retrieves the current socket label setting func SocketLabel() (string, error) { … } // PeerLabel retrieves the label of the client on the other side of a socket func PeerLabel(fd uintptr) (string, error) { … } // SetKeyLabel takes a process label and tells the kernel to assign the // label to the next kernel keyring that gets created. Calls to SetKeyLabel // should be wrapped in runtime.LockOSThread()/runtime.UnlockOSThread() until // the kernel keyring is created to guarantee another goroutine does not migrate // to the current thread before execution is complete. func SetKeyLabel(label string) error { … } // KeyLabel retrieves the current kernel keyring label setting func KeyLabel() (string, error) { … } // Get returns the Context as a string func (c Context) Get() string { … } // NewContext creates a new Context struct from the specified label func NewContext(label string) (Context, error) { … } // ClearLabels clears all reserved labels func ClearLabels() { … } // ReserveLabel reserves the MLS/MCS level component of the specified label func ReserveLabel(label string) { … } // MLSEnabled checks if MLS is enabled. func MLSEnabled() bool { … } // EnforceMode returns the current SELinux mode Enforcing, Permissive, Disabled func EnforceMode() int { … } // SetEnforceMode sets the current SELinux mode Enforcing, Permissive. // Disabled is not valid, since this needs to be set at boot time. func SetEnforceMode(mode int) error { … } // DefaultEnforceMode returns the systems default SELinux mode Enforcing, // Permissive or Disabled. Note this is just the default at boot time. // EnforceMode tells you the systems current mode. func DefaultEnforceMode() int { … } // ReleaseLabel un-reserves the MLS/MCS Level field of the specified label, // allowing it to be used by another process. func ReleaseLabel(label string) { … } // ROFileLabel returns the specified SELinux readonly file label func ROFileLabel() string { … } // KVMContainerLabels returns the default processLabel and mountLabel to be used // for kvm containers by the calling process. func KVMContainerLabels() (string, string) { … } // InitContainerLabels returns the default processLabel and file labels to be // used for containers running an init system like systemd by the calling process. func InitContainerLabels() (string, string) { … } // ContainerLabels returns an allocated processLabel and fileLabel to be used for // container labeling by the calling process. func ContainerLabels() (processLabel string, fileLabel string) { … } // SecurityCheckContext validates that the SELinux label is understood by the kernel func SecurityCheckContext(val string) error { … } // CopyLevel returns a label with the MLS/MCS level from src label replaced on // the dest label. func CopyLevel(src, dest string) (string, error) { … } // Chcon changes the fpath file object to the SELinux label. // If fpath is a directory and recurse is true, then Chcon walks the // directory tree setting the label. // // The fpath itself is guaranteed to be relabeled last. func Chcon(fpath string, label string, recurse bool) error { … } // DupSecOpt takes an SELinux process label and returns security options that // can be used to set the SELinux Type and Level for future container processes. func DupSecOpt(src string) ([]string, error) { … } // DisableSecOpt returns a security opt that can be used to disable SELinux // labeling support for future container processes. func DisableSecOpt() []string { … } // GetDefaultContextWithLevel gets a single context for the specified SELinux user // identity that is reachable from the specified scon context. The context is based // on the per-user /etc/selinux/{SELINUXTYPE}/contexts/users/<username> if it exists, // and falls back to the global /etc/selinux/{SELINUXTYPE}/contexts/default_contexts // file. func GetDefaultContextWithLevel(user, level, scon string) (string, error) { … } // PrivContainerMountLabel returns mount label for privileged containers func PrivContainerMountLabel() string { … }