1getexeccon(3)              SELinux API documentation             getexeccon(3)
2
3
4

NAME

6       getexeccon,  setexeccon  - get or set the SELinux security context used
7       for executing a new process
8
9       rpm_execcon - run a helper for rpm in an appropriate security context
10

SYNOPSIS

12       #include <selinux/selinux.h>
13
14       int getexeccon(char **context);
15
16       int getexeccon_raw(char **context);
17
18       int setexeccon(char *context);
19
20       int setexeccon_raw(char *context);
21
22       int setexecfilecon(const char *filename, const char *fallback_type);
23
24       int rpm_execcon(unsigned  int  verified,  const  char  *filename,  char
25       *const argv[] , char *const envp[]);
26

DESCRIPTION

28       getexeccon()  retrieves  the  context used for executing a new process.
29       This returned context should be  freed  with  freecon(3)  if  non-NULL.
30       getexeccon()  sets *context to NULL if no exec context has been explic‐
31       itly set by the program (i.e. using the default policy behavior).
32
33       setexeccon() sets the context used for the next execve(2)  call.   NULL
34       can  be passed to setexeccon() to reset to the default policy behavior.
35       The exec context is automatically reset after the next execve(2), so  a
36       program doesn't need to explicitly sanitize it upon startup.
37
38       setexeccon()  can be applied prior to library functions that internally
39       perform an execve(2), e.g.  execl*(3), execv*(3), popen(3), in order to
40       set an exec context for that operation.
41
42       getexeccon_raw()  and setexeccon_raw() behave identically to their non-
43       raw counterparts but do not perform context translation.
44
45       Note: Signal handlers that perform an execve(2) must take care to save,
46       reset, and restore the exec context to avoid unexpected behavior.
47
48       setexecfilecon()  sets  the  context  used for the next execve(2) call,
49       based on the policy for the filename, and falling back to a new context
50       with a fallback_type in case there is no transition.
51
52       rpm_execcon() is deprecated; please use setexecfilecon() in conjunction
53       with execve(2) in all new code. This function runs a helper for rpm  in
54       an appropriate security context.  The verified parameter should contain
55       the return code from the signature verification (0 ==  ok,  1  ==  not‐
56       found,  2  ==  verifyfail,  3 == nottrusted, 4 == nokey), although this
57       information is not yet used by the function.  The  function  determines
58       the  proper  security  context for the helper based on policy, sets the
59       exec context accordingly, and then executes the specified filename with
60       the provided argument and environment arrays.
61

RETURN VALUE

63       On error -1 is returned.
64
65       On  success  getexeccon(),  setexeccon() and setexecfilecon() return 0.
66       rpm_execcon() only returns upon errors, as it calls execve(2).
67

SEE ALSO

69       selinux(8), freecon(3), getcon(3)
70
71
72
73russell@coker.com.au            1 January 2004                   getexeccon(3)
Impressum