diff options
Diffstat (limited to 'libselinux/man/man3/getcon.3')
-rw-r--r-- | libselinux/man/man3/getcon.3 | 62 |
1 files changed, 62 insertions, 0 deletions
diff --git a/libselinux/man/man3/getcon.3 b/libselinux/man/man3/getcon.3 new file mode 100644 index 00000000..2170795c --- /dev/null +++ b/libselinux/man/man3/getcon.3 @@ -0,0 +1,62 @@ +.TH "getcon" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation" +.SH "NAME" +getcon, getprevcon, getpidcon \- get SELinux security context of a process. + +getpeercon - get security context of a peer socket. + +setcon - set current security context of a process. +.SH "SYNOPSIS" +.B #include <selinux/selinux.h> +.sp +.BI "int getcon(security_context_t *" context ); + +.BI "int getprevcon(security_context_t *" context ); + +.BI "int getpidcon(pid_t " pid ", security_context_t *" context ); + +.BI "int getpeercon(int " fd ", security_context_t *" context); + +.BI "int setcon(security_context_t " context); + +.SH "DESCRIPTION" +.B getcon +retrieves the context of the current process, which must be free'd with +freecon. + +.B getprevcon +same as getcon but gets the context before the last exec. + +.B getpidcon +returns the process context for the specified PID. + +.B getpeercon +retrieves context of peer socket, and set *context to refer to it, which must be free'd with freecon. + +.B setcon +sets the current security context of the process to a new value. Note +that use of this function requires that the entire application be +trusted to maintain any desired separation between the old and new +security contexts, unlike exec-based transitions performed via +setexeccon(3). When possible, decompose your applicaiton and use +setexeccon() and execve() instead. + +Since access to file descriptors is revalidated upon use by SELinux, +the new context must be explicitly authorized in the policy to use the +descriptors opened by the old context if that is desired. Otherwise, +attempts by the process to use any existing descriptors (including +stdin, stdout, and stderr) after performing the setcon() will fail. + +A multi-threaded application can perform a setcon() prior to creating +any child threads, in which case all of the child threads will inherit +the new context. However, setcon() will fail if there are any other +threads running in the same process. + +If the process was being ptraced at the time of the setcon() +operation, ptrace permission will be revalidated against the new +context and the setcon() will fail if it is not allowed by policy. + +.SH "RETURN VALUE" +On error -1 is returned. On success 0 is returned. + +.SH "SEE ALSO" +.BR selinux "(8), " freecon "(3), " setexeccon "(3)" |