getcon, getprevcon, getpidcon - get SELinux security context of a
freecon, freeconary - free memory associated with SELinux security
getpeercon - get security context of a peer socket
setcon - set current security context of a process
getcon() retrieves the context of the current process, which must be
free'd with freecon.
getprevcon() same as getcon but gets the context before the last
getpidcon() returns the process context for the specified PID.
getpeercon() retrieves context of peer socket, and set *context to
refer to it, which must be free'd with freecon().
freecon() frees the memory allocated for a security context.
freeconary() frees the memory allocated for a context array.
If con is NULL, no operation is performed.
setcon() sets the current security context of the process to a new
value. Note that use of this function requires that the entire
application be trusted to maintain any desired separation between the
old and new security contexts, unlike exec-based transitions
performed via setexeccon(3). When possible, decompose your
application and use setexeccon(3) and execve(3) instead.
Since access to file descriptors is revalidated upon use by SELinux,
the new context must be explicitly authorized in the policy to use
the descriptors opened by the old context if that is desired.
Otherwise, attempts by the process to use any existing descriptors
(including stdin, stdout, and stderr) after performing the setcon()
A multi-threaded application can perform a setcon() prior to creating
any child threads, in which case all of the child threads will
inherit the new context. However, prior to Linux 2.6.28, setcon()
would fail if there are any other threads running in the same process
since this would yield an inconsistency among the security contexts
of threads sharing the same memory space. Since Linux 2.6.28,
setcon() is permitted for threads within a multi-threaded process if
the new security context is bounded by the old security context,
where the bounded relation is defined through typebounds statements
in the policy and guarantees that the new security context has a
subset of the permissions of the old security context.
If the process was being ptraced at the time of the setcon()
operation, ptrace permission will be revalidated against the new
context and the setcon() will fail if it is not allowed by policy.
getcon_raw(), getprevcon_raw(), getpidcon_raw(), getpeercon_raw() and
setcon_raw() behave identically to their non-raw counterparts but do
not perform context translation.
This page is part of the selinux (Security-Enhanced Linux user-space
libraries and tools) project. Information about the project can be
found at ⟨https://github.com/SELinuxProject/selinux/wiki⟩. If you
have a bug report for this manual page, see
page was obtained from the project's upstream Git repository
⟨https://github.com/SELinuxProject/selinux⟩ on 2017-03-13. If you
discover any rendering problems in this HTML version of the page, or
you believe there is a better or more up-to-date source for the page,
or you have corrections or improvements to the information in this
COLOPHON (which is not part of the original manual page), send a mail
email@example.com 21 December 2011 getcon(3)