1getcon(3)                  SELinux API documentation                 getcon(3)
2
3
4

NAME

6       getcon,  getprevcon,  getpidcon  -  get  SELinux  security context of a
7       process.
8
9       getpeercon - get security context of a peer socket.
10
11       setcon - set current security context of a process.
12

SYNOPSIS

14       #include <selinux/selinux.h>
15
16       int getcon(security_context_t *context);
17
18       int getprevcon(security_context_t *context);
19
20       int getpidcon(pid_t pid, security_context_t *context);
21
22       int getpeercon(int fd, security_context_t *context);
23
24       int setcon(security_context_t context);
25
26

DESCRIPTION

28       getcon retrieves the context of the  current  process,  which  must  be
29       free'd with freecon.
30
31       getprevcon same as getcon but gets the context before the last exec.
32
33       getpidcon returns the process context for the specified PID.
34
35       getpeercon  retrieves context of peer socket, and set *context to refer
36       to it, which must be free'd with freecon.
37
38       setcon sets the current security context of the process to a new value.
39       Note  that use of this function requires that the entire application be
40       trusted to maintain any desired separation  between  the  old  and  new
41       security contexts, unlike exec-based transitions performed via setexec‐
42       con(3).  When possible, decompose your applicaiton and use setexeccon()
43       and execve() instead.
44
45       Since  access  to  file descriptors is revalidated upon use by SELinux,
46       the new context must be explicitly authorized in the policy to use  the
47       descriptors  opened  by the old context if that is desired.  Otherwise,
48       attempts by the process to  use  any  existing  descriptors  (including
49       stdin, stdout, and stderr) after performing the setcon() will fail.
50
51       A  multi-threaded  application can perform a setcon() prior to creating
52       any child threads, in which case all of the child threads will  inherit
53       the  new  context.   However, setcon() will fail if there are any other
54       threads running in the same process.
55
56       If the process was being ptraced at the time of the setcon() operation,
57       ptrace  permission  will be revalidated against the new context and the
58       setcon() will fail if it is not allowed by policy.
59
60

RETURN VALUE

62       On error -1 is returned.  On success 0 is returned.
63
64

SEE ALSO

66       selinux(8), freecon(3), setexeccon(3)
67
68
69
70russell@coker.com.au            1 January 2004                       getcon(3)
Impressum