getexeccon(3)             SELinux API documentation            getexeccon(3)

NAME         top

       getexeccon, setexeccon - get or set the SELinux security context used
       for executing a new process

       rpm_execcon - run a helper for rpm in an appropriate security context

SYNOPSIS         top

       #include <selinux/selinux.h>

       int getexeccon(char **context);

       int getexeccon_raw(char **context);

       int setexeccon(char *context);

       int setexeccon_raw(char *context);

       int setexecfilecon(const char *filename, const char *fallback_type);

       int rpm_execcon(unsigned int verified, const char *filename, char
       *const argv[] , char *const envp[]);

DESCRIPTION         top

       getexeccon() retrieves the context used for executing a new process.
       This returned context should be freed with freecon(3) if non-NULL.
       getexeccon() sets *context to NULL if no exec context has been
       explicitly set by the program (i.e. using the default policy

       setexeccon() sets the context used for the next execve(2) call.  NULL
       can be passed to setexeccon() to reset to the default policy
       behavior.  The exec context is automatically reset after the next
       execve(2), so a program doesn't need to explicitly sanitize it upon

       setexeccon() can be applied prior to library functions that
       internally perform an execve(2), e.g.  execl*(3), execv*(3),
       popen(3), in order to set an exec context for that operation.

       getexeccon_raw() and setexeccon_raw() behave identically to their
       non-raw counterparts but do not perform context translation.

       Note: Signal handlers that perform an execve(2) must take care to
       save, reset, and restore the exec context to avoid unexpected

       setexecfilecon() sets the context used for the next execve(2) call,
       based on the policy for the filename, and falling back to a new
       context with a fallback_type in case there is no transition.

       rpm_execcon() is deprecated; please use setexecfilecon() in
       conjunction with execve(2) in all new code. This function runs a
       helper for rpm in an appropriate security context.  The verified
       parameter should contain the return code from the signature
       verification (0 == ok, 1 == notfound, 2 == verifyfail, 3 ==
       nottrusted, 4 == nokey), although this information is not yet used by
       the function.  The function determines the proper security context
       for the helper based on policy, sets the exec context accordingly,
       and then executes the specified filename with the provided argument
       and environment arrays.

RETURN VALUE         top

       On error -1 is returned.

       On success getexeccon(), setexeccon() and setexecfilecon() return 0.
       rpm_execcon() only returns upon errors, as it calls execve(2).

SEE ALSO         top

       selinux(8), freecon(3), getcon(3)

COLOPHON         top

       This page is part of the selinux (Security-Enhanced Linux user-space
       libraries and tools) project.  Information about the project can be
       found at ⟨⟩.  If you
       have a bug report for this manual page, see
       ⟨⟩.  This
       page was obtained from the project's upstream Git repository
       ⟨⟩ on 2017-11-25.  (At that
       time, the date of the most recent commit that was found in the repos‐
       itory was 2017-11-22.)  If you discover any rendering problems in
       this HTML version of the page, or you believe there is a better or
       more up-to-date source for the page, or you have corrections or
       improvements to the information in this COLOPHON (which is not part
       of the original manual page), send a mail to           1 January 2004                  getexeccon(3)

Pages that refer to this page: getcon(3)getfscreatecon(3)getkeycreatecon(3)systemd.exec(5)