getcon(3)                 SELinux API documentation                getcon(3)

NAME         top

       getcon,  getprevcon,  getpidcon  -  get SELinux security context of a

       freecon, freeconary - free memory associated  with  SELinux  security

       getpeercon - get security context of a peer socket

       setcon - set current security context of a process

SYNOPSIS         top

       #include <selinux/selinux.h>

       int getcon(char **context);

       int getcon_raw(char **context);

       int getprevcon(char **context);

       int getprevcon_raw(char **context);

       int getpidcon(pid_t pid, char **context);

       int getpidcon_raw(pid_t pid, char **context);

       int getpeercon(int fd, char **context);

       int getpeercon_raw(int fd, char **context);

       void freecon(char *con);

       void freeconary(char **con);

       int setcon(char *context);

       int setcon_raw(char *context);

DESCRIPTION         top

       getcon() retrieves the context of the current process, which must be
       free'd with freecon.

       getprevcon() same as getcon but gets the context before the last

       getpidcon() returns the process context for the specified PID.

       getpeercon() retrieves context of peer socket, and set *context to
       refer to it, which must be free'd with freecon().

       freecon() frees the memory allocated for a security context.

       freeconary() frees the memory allocated for a context array.

       If con is NULL, no operation is performed.

       setcon() sets the current security context of the process to a new
       value.  Note that use of this function requires that the entire
       application be trusted to maintain any desired separation between the
       old and new security contexts, unlike exec-based transitions
       performed via setexeccon(3).  When possible, decompose your
       application and use setexeccon(3) and execve(3) instead.

       Since access to file descriptors is revalidated upon use by SELinux,
       the new context must be explicitly authorized in the policy to use
       the descriptors opened by the old context if that is desired.
       Otherwise, attempts by the process to use any existing descriptors
       (including stdin, stdout, and stderr) after performing the setcon()
       will fail.

       A multi-threaded application can perform a setcon() prior to creating
       any child threads, in which case all of the child threads will
       inherit the new context.  However, prior to Linux 2.6.28, setcon()
       would fail if there are any other threads running in the same process
       since this would yield an inconsistency among the security contexts
       of threads sharing the same memory space.  Since Linux 2.6.28,
       setcon() is permitted for threads within a multi-threaded process if
       the new security context is bounded by the old security context,
       where the bounded relation is defined through typebounds statements
       in the policy and guarantees that the new security context has a
       subset of the permissions of the old security context.

       If the process was being ptraced at the time of the setcon()
       operation, ptrace permission will be revalidated against the new
       context and the setcon() will fail if it is not allowed by policy.

       getcon_raw(), getprevcon_raw(), getpidcon_raw(), getpeercon_raw() and
       setcon_raw() behave identically to their non-raw counterparts but do
       not perform context translation.

RETURN VALUE         top

       On error -1 is returned.  On success 0 is returned.

SEE ALSO         top

       selinux(8), setexeccon(3)

COLOPHON         top

       This page is part of the selinux (Security-Enhanced Linux user-space
       libraries and tools) project.  Information about the project can be
       found at ⟨⟩.  If you
       have a bug report for this manual page, see 
       ⟨⟩.  This
       page was obtained from the project's upstream Git repository 
       ⟨⟩ on 2017-03-13.  If you
       discover any rendering problems in this HTML version of the page, or
       you believe there is a better or more up-to-date source for the page,
       or you have corrections or improvements to the information in this
       COLOPHON (which is not part of the original manual page), send a mail
       to          21 December 2011                     getcon(3)