Provided by: libselinux1-dev_3.4-1_amd64 bug


       security_getenforce,  security_setenforce, security_deny_unknown, security_reject_unknown,
       security_get_checkreqprot - get or set the enforcing state of SELinux


       #include <selinux/selinux.h>

       int security_getenforce(void);

       int security_setenforce(int value);

       int security_deny_unknown(void);

       int security_reject_unknown(void);

       int security_get_checkreqprot(void);


       security_getenforce() returns 0 if SELinux is running in  permissive  mode,  1  if  it  is
       running in enforcing mode, and -1 on error.

       security_setenforce() sets SELinux to enforcing mode if the value 1 is passed in, and sets
       it to permissive mode if 0 is passed in.  On  success  0  is  returned,  on  error  -1  is

       security_deny_unknown()  returns  0  if  SELinux treats policy queries on undefined object
       classes or permissions as being allowed, 1 if such queries are denied, and -1 on error.

       security_reject_unknown()  returns  1  if  the  current  policy  was  built  with  handle-
       unknown=reject and SELinux would reject loading it, if it did not define all kernel object
       classes   and   permissions.   In   this    state,    when    selinux_set_mapping()    and
       selinux_check_access()  are used with an undefined userspace class or permission, an error
       is returned and errno is set to EINVAL.

       It returns 0 if  the  current  policy  was  built  with  handle-unknown=allow  or  handle-
       unknown=deny.    In    this    state,    policy   queries   are   treated   according   to
       security_deny_unknown().  -1 is returned on error.

       security_get_checkreqprot() can be used to determine  whether  SELinux  is  configured  to
       check  the  protection  requested by the application or the actual protection that will be
       applied by the kernel (including the effects of READ_IMPLIES_EXEC) on  mmap  and  mprotect
       calls.  It returns 0 if SELinux checks the actual protection, 1 if it checks the requested
       protection, and -1 on error.