From patchwork Tue Mar  5 09:35:09 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Petr Lautrbach <plautrba@redhat.com>
X-Patchwork-Id: 10839163
Return-Path: <selinux-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 43E92922
	for <patchwork-selinux@patchwork.kernel.org>;
 Tue,  5 Mar 2019 09:35:26 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 319DA2AF8C
	for <patchwork-selinux@patchwork.kernel.org>;
 Tue,  5 Mar 2019 09:35:26 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 25EA22B282; Tue,  5 Mar 2019 09:35:26 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BCE5B2AF8C
	for <patchwork-selinux@patchwork.kernel.org>;
 Tue,  5 Mar 2019 09:35:25 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727178AbfCEJfZ (ORCPT
        <rfc822;patchwork-selinux@patchwork.kernel.org>);
        Tue, 5 Mar 2019 04:35:25 -0500
Received: from mx1.redhat.com ([209.132.183.28]:41702 "EHLO mx1.redhat.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726098AbfCEJfZ (ORCPT <rfc822;selinux@vger.kernel.org>);
        Tue, 5 Mar 2019 04:35:25 -0500
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com
 [10.5.11.14])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mx1.redhat.com (Postfix) with ESMTPS id 0E56EC04BD22
        for <selinux@vger.kernel.org>; Tue,  5 Mar 2019 09:35:25 +0000 (UTC)
Received: from workstation.brq.redhat.com (unknown [10.43.12.40])
        by smtp.corp.redhat.com (Postfix) with ESMTP id 582185D9CC;
        Tue,  5 Mar 2019 09:35:24 +0000 (UTC)
From: Petr Lautrbach <plautrba@redhat.com>
To: selinux@vger.kernel.org
Cc: Petr Lautrbach <plautrba@redhat.com>
Subject: [PATCH v2] libselinux: Add security_reject_unknown(3) man page
Date: Tue,  5 Mar 2019 10:35:09 +0100
Message-Id: <20190305093509.12760-1-plautrba@redhat.com>
In-Reply-To: <pjdzhq9n0r9.fsf@redhat.com>
References: <pjdzhq9n0r9.fsf@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14
X-Greylist: Sender IP whitelisted,
 not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.31]);
 Tue, 05 Mar 2019 09:35:25 +0000 (UTC)
Sender: selinux-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux.vger.kernel.org>
X-Mailing-List: selinux@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Commit c19395d7 added a new interface security_reject_unknown() which needs to
be documented.

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
 libselinux/man/man3/security_getenforce.3     | 15 ++++++++++++++-
 libselinux/man/man3/security_reject_unknown.3 |  1 +
 2 files changed, 15 insertions(+), 1 deletion(-)
 create mode 100644 libselinux/man/man3/security_reject_unknown.3

diff --git a/libselinux/man/man3/security_getenforce.3 b/libselinux/man/man3/security_getenforce.3
index 29cf3de7..7b0a069f 100644
--- a/libselinux/man/man3/security_getenforce.3
+++ b/libselinux/man/man3/security_getenforce.3
@@ -1,6 +1,7 @@
 .TH "security_getenforce" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation"
 .SH "NAME"
-security_getenforce, security_setenforce, security_deny_unknown, security_get_checkreqprot\- get or set the enforcing state of SELinux
+security_getenforce, security_setenforce, security_deny_unknown, security_reject_unknown,
+security_get_checkreqprot \- get or set the enforcing state of SELinux
 .
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
@@ -11,6 +12,8 @@ security_getenforce, security_setenforce, security_deny_unknown, security_get_ch
 .sp
 .B int security_deny_unknown(void);
 .sp
+.B int security_reject_unknown(void);
+.sp
 .B int security_get_checkreqprot(void);
 .
 .SH "DESCRIPTION"
@@ -27,6 +30,16 @@ returned.
 returns 0 if SELinux treats policy queries on undefined object classes or
 permissions as being allowed, 1 if such queries are denied, and \-1 on error.
 
+.BR security_reject_unknown ()
+returns 1 if SELinux rejects loading a policy which doesn't define all kernel
+object classes and permissions. In this state SELinux treats policy queries on
+undefined object classes or permissions as being denied.
+
+It returns 0 if SELinux allows to load such policy and policy queries are
+treated according to
+.BR security_deny_unknown(),
+\-1 is returned on error.
+
 .BR security_get_checkreqprot ()
 can be used to determine whether SELinux is configured to check the
 protection requested by the application or the actual protection that will
diff --git a/libselinux/man/man3/security_reject_unknown.3 b/libselinux/man/man3/security_reject_unknown.3
new file mode 100644
index 00000000..d59e5c2c
--- /dev/null
+++ b/libselinux/man/man3/security_reject_unknown.3
@@ -0,0 +1 @@
+.so man3/security_getenforce.3