Open Source Software

freecon(3)



NAME

   getcon,  getprevcon,  getpidcon  -  get  SELinux  security context of a
   process

   freecon, freeconary - free  memory  associated  with  SELinux  security
   contexts

   getpeercon - get security context of a peer socket

   setcon - set current security context of a process

SYNOPSIS

   #include <selinux/selinux.h>

   int getcon(char **context);

   int getcon_raw(char **context);

   int getprevcon(char **context);

   int getprevcon_raw(char **context);

   int getpidcon(pid_t pid, char **context);

   int getpidcon_raw(pid_t pid, char **context);

   int getpeercon(int fd, char **context);

   int getpeercon_raw(int fd, char **context);

   void freecon(char * con);

   void freeconary(char **con);

   int setcon(char * context);

   int setcon_raw(char * context);

DESCRIPTION

   getcon()  retrieves  the  context of the current process, which must be
   free'd with freecon.

   getprevcon() same as getcon but gets the context before the last exec.

   getpidcon() returns the process context for the specified PID.

   getpeercon() retrieves context of peer  socket,  and  set  *context  to
   refer to it, which must be free'd with freecon().

   freecon() frees the memory allocated for a security context.

   freeconary() frees the memory allocated for a context array.

   If con is NULL, no operation is performed.

   setcon()  sets  the  current  security  context of the process to a new
   value.  Note that  use  of  this  function  requires  that  the  entire
   application  be  trusted to maintain any desired separation between the
   old and new security contexts, unlike exec-based transitions  performed
   via  setexeccon(3).   When possible, decompose your application and use
   setexeccon(3) and execve(3) instead.

   Since access to file descriptors is revalidated upon  use  by  SELinux,
   the  new context must be explicitly authorized in the policy to use the
   descriptors opened by the old context if that is  desired.   Otherwise,
   attempts  by  the  process  to  use any existing descriptors (including
   stdin, stdout, and stderr) after performing the setcon() will fail.

   A multi-threaded application can perform a setcon() prior  to  creating
   any  child threads, in which case all of the child threads will inherit
   the new context.  However, prior to Linux 2.6.28, setcon()  would  fail
   if  there  are any other threads running in the same process since this
   would yield an inconsistency among the  security  contexts  of  threads
   sharing  the  same  memory  space.   Since  Linux  2.6.28,  setcon() is
   permitted for threads  within  a  multi-threaded  process  if  the  new
   security  context  is  bounded  by  the old security context, where the
   bounded relation is defined through typebounds statements in the policy
   and  guarantees  that  the  new  security  context  has a subset of the
   permissions of the old security context.

   If the process was being ptraced at the time of the setcon() operation,
   ptrace  permission  will be revalidated against the new context and the
   setcon() will fail if it is not allowed by policy.

   getcon_raw(), getprevcon_raw(), getpidcon_raw(),  getpeercon_raw()  and
   setcon_raw()  behave  identically  to their non-raw counterparts but do
   not perform context translation.

RETURN VALUE

   On error -1 is returned.  On success 0 is returned.

SEE ALSO

   selinux(8), setexeccon(3)



Free and Open Source Software


Free Software Video

Useful Programs

Free Online Courses

Open Opportunity

Open Business