getexeccon, setexeccon - get or set the SELinux security context used
for executing a new process.
rpm_execcon - run a helper for rpm in an appropriate security context
int getexeccon(security_context_t *context);
int setexeccon(security_context_t context);
int rpm_execcon(unsigned int verified, const char *filename, char
*const argv , char *const envp);
getexeccon retrieves the context used for executing a new process.
This returned context should be freed with freecon if non-NULL.
getexeccon sets *con to NULL if no exec context has been explicitly set
by the program (i.e. using the default policy behavior).
setexeccon sets the context used for the next execve call. NULL can be
passed to setexeccon to reset to the default policy behavior. The exec
context is automatically reset after the next execve, so a program
doesn’t need to explicitly sanitize it upon startup.
setexeccon can be applied prior to library functions that internally
perform an execve, e.g. execl*, execv*, popen, in order to set an exec
context for that operation.
Note: Signal handlers that perform an execve must take care to save,
reset, and restore the exec context to avoid unexpected behavior.
rpm_execcon runs a helper for rpm in an appropriate security context.
The verified parameter should contain the return code from the
signature verification (0 == ok, 1 == notfound, 2 == verifyfail, 3 ==
nottrusted, 4 == nokey), although this information is not yet used by
the function. The function determines the proper security context for
the helper based on policy, sets the exec context accordingly, and then
executes the specified filename with the provided argument and
On error -1 is returned.
On success getexeccon and setexeccon returns 0. rpm_execcon only
returns upon errors, as it calls execve(2).
selinux(8), freecon(3), getcon(3)