Man Linux: Main Page and Category List

NAME

       getexeccon,  setexeccon  - get or set the SELinux security context used
       for executing a new process.

       rpm_execcon - run a helper for rpm in an appropriate security context

SYNOPSIS

       #include <selinux/selinux.h>

       int getexeccon(security_context_t *context);

       int setexeccon(security_context_t context);

       int rpm_execcon(unsigned  int  verified,  const  char  *filename,  char
       *const argv[] , char *const envp[]);

DESCRIPTION

       getexeccon  retrieves  the  context  used  for executing a new process.
       This returned  context  should  be  freed  with  freecon  if  non-NULL.
       getexeccon sets *con to NULL if no exec context has been explicitly set
       by the program (i.e. using the default policy behavior).

       setexeccon sets the context used for the next execve call.  NULL can be
       passed to setexeccon to reset to the default policy behavior.  The exec
       context is automatically reset after the  next  execve,  so  a  program
       doesn’t need to explicitly sanitize it upon startup.

       setexeccon  can  be  applied prior to library functions that internally
       perform an execve, e.g. execl*, execv*, popen, in order to set an  exec
       context for that operation.

       Note:  Signal  handlers  that perform an execve must take care to save,
       reset, and restore the exec context to avoid unexpected behavior.

       rpm_execcon runs a helper for rpm in an appropriate  security  context.
       The  verified  parameter  should  contain  the  return  code  from  the
       signature verification (0 == ok, 1 == notfound, 2 == verifyfail,  3  ==
       nottrusted,  4  == nokey), although this information is not yet used by
       the function.  The function determines the proper security context  for
       the helper based on policy, sets the exec context accordingly, and then
       executes  the  specified  filename  with  the  provided  argument   and
       environment arrays.

RETURN VALUE

       On error -1 is returned.

       On  success  getexeccon  and  setexeccon  returns  0.  rpm_execcon only
       returns upon errors, as it calls execve(2).

SEE ALSO

       selinux(8), freecon(3), getcon(3)