1getcon(3)                  SELinux API documentation                 getcon(3)
2
3
4

NAME

6       getcon,  getprevcon,  getpidcon  -  get  SELinux  security context of a
7       process
8
9       freecon, freeconary - free memory associated with SELinux security con‐
10       texts
11
12       getpeercon - get security context of a peer socket
13
14       setcon - set current security context of a process
15

SYNOPSIS

17       #include <selinux/selinux.h>
18
19       int getcon(char **context);
20
21       int getcon_raw(char **context);
22
23       int getprevcon(char **context);
24
25       int getprevcon_raw(char **context);
26
27       int getpidcon(pid_t pid, char **context);
28
29       int getpidcon_raw(pid_t pid, char **context);
30
31       int getpeercon(int fd, char **context);
32
33       int getpeercon_raw(int fd, char **context);
34
35       void freecon(char *con);
36
37       void freeconary(char **con);
38
39       int setcon(char *context);
40
41       int setcon_raw(char *context);
42

DESCRIPTION

44       getcon()  retrieves  the  context of the current process, which must be
45       free'd with freecon.
46
47       getprevcon() same as getcon but gets the context before the last exec.
48
49       getpidcon() returns the process context for the specified PID.
50
51       getpeercon() retrieves context of peer  socket,  and  set  *context  to
52       refer to it, which must be free'd with freecon().
53
54       freecon() frees the memory allocated for a security context.
55
56       freeconary() frees the memory allocated for a context array.
57
58       If con is NULL, no operation is performed.
59
60       setcon()  sets  the  current  security  context of the process to a new
61       value.  Note that use of this function requires that the entire  appli‐
62       cation  be  trusted  to maintain any desired separation between the old
63       and new security contexts, unlike exec-based transitions performed  via
64       setexeccon(3).   When  possible,  decompose  your  application  and use
65       setexeccon(3) and execve(3) instead.
66
67       Since access to file descriptors is revalidated upon  use  by  SELinux,
68       the  new context must be explicitly authorized in the policy to use the
69       descriptors opened by the old context if that is  desired.   Otherwise,
70       attempts  by  the  process  to  use any existing descriptors (including
71       stdin, stdout, and stderr) after performing the setcon() will fail.
72
73       A multi-threaded application can perform a setcon() prior  to  creating
74       any  child threads, in which case all of the child threads will inherit
75       the new context.  However, prior to Linux 2.6.28, setcon()  would  fail
76       if  there  are any other threads running in the same process since this
77       would yield an inconsistency among the  security  contexts  of  threads
78       sharing the same memory space.  Since Linux 2.6.28, setcon() is permit‐
79       ted for threads within a multi-threaded process  if  the  new  security
80       context is bounded by the old security context, where the bounded rela‐
81       tion is defined through typebounds statements in the policy and guaran‐
82       tees  that  the new security context has a subset of the permissions of
83       the old security context.
84
85       If the process was being ptraced at the time of the setcon() operation,
86       ptrace  permission  will be revalidated against the new context and the
87       setcon() will fail if it is not allowed by policy.
88
89       getcon_raw(), getprevcon_raw(), getpidcon_raw(),  getpeercon_raw()  and
90       setcon_raw()  behave  identically  to their non-raw counterparts but do
91       not perform context translation.
92

RETURN VALUE

94       On error -1 is returned.  On success 0 is returned.
95

SEE ALSO

97       selinux(8), setexeccon(3)
98
99
100
101russell@coker.com.au           21 December 2011                      getcon(3)
Impressum