Man Linux: Main Page and Category List


       getcon,  getprevcon,  getpidcon  -  get  SELinux  security context of a

       getpeercon - get security context of a peer socket.

       setcon - set current security context of a process.


       #include <selinux/selinux.h>

       int getcon(security_context_t *context);

       int getprevcon(security_context_t *context);

       int getpidcon(pid_t pid, security_context_t *context);

       int getpeercon(int fd, security_context_t *context);

       int setcon(security_context_t context);


       getcon retrieves the context of the  current  process,  which  must  be
       free’d with freecon.

       getprevcon same as getcon but gets the context before the last exec.

       getpidcon returns the process context for the specified PID.

       getpeercon  retrieves context of peer socket, and set *context to refer
       to it, which must be free’d with freecon.

       setcon sets the current security context of the process to a new value.
       Note  that use of this function requires that the entire application be
       trusted to maintain any desired separation  between  the  old  and  new
       security   contexts,   unlike   exec-based  transitions  performed  via
       setexeccon(3).  When  possible,  decompose  your  applicaiton  and  use
       setexeccon() and execve() instead.

       Since  access  to  file descriptors is revalidated upon use by SELinux,
       the new context must be explicitly authorized in the policy to use  the
       descriptors  opened  by the old context if that is desired.  Otherwise,
       attempts by the process to  use  any  existing  descriptors  (including
       stdin, stdout, and stderr) after performing the setcon() will fail.

       A  multi-threaded  application can perform a setcon() prior to creating
       any child threads, in which case all of the child threads will  inherit
       the  new  context.   However, setcon() will fail if there are any other
       threads running in the same process.

       If the process was being ptraced at the time of the setcon() operation,
       ptrace  permission  will be revalidated against the new context and the
       setcon() will fail if it is not allowed by policy.


       On error -1 is returned.  On success 0 is returned.


       selinux(8), freecon(3), setexeccon(3)