mirror of
https://github.com/SELinuxProject/selinux
synced 2024-12-12 17:15:00 +00:00
297d2bee23
The getcon man page already includes setcon() and other non-"get" entries. Why send people somewhere else just for freecon? Put it here. Signed-off-by: Eric Paris <eparis@redhat.com>
79 lines
2.6 KiB
Groff
79 lines
2.6 KiB
Groff
.TH "getcon" "3" "21 December 2011" "russell@coker.com.au" "SELinux API documentation"
|
|
.SH "NAME"
|
|
getcon, getprevcon, getpidcon \- get SELinux security context of a process.
|
|
|
|
freecon, freeconary \- free memory associated with SELinux security contexts.
|
|
|
|
getpeercon - get security context of a peer socket.
|
|
|
|
setcon - set current security context of a process.
|
|
.SH "SYNOPSIS"
|
|
.B #include <selinux/selinux.h>
|
|
.sp
|
|
.BI "int getcon(security_context_t *" context );
|
|
|
|
.BI "int getprevcon(security_context_t *" context );
|
|
|
|
.BI "int getpidcon(pid_t " pid ", security_context_t *" context );
|
|
|
|
.BI "int getpeercon(int " fd ", security_context_t *" context);
|
|
|
|
.BI "void freecon(security_context_t "con );
|
|
|
|
.BI "void freeconary(security_context_t *" con );
|
|
|
|
.BI "int setcon(security_context_t " context);
|
|
|
|
.SH "DESCRIPTION"
|
|
.B getcon
|
|
retrieves the context of the current process, which must be free'd with
|
|
freecon.
|
|
|
|
.B getprevcon
|
|
same as getcon but gets the context before the last exec.
|
|
|
|
.B getpidcon
|
|
returns the process context for the specified PID.
|
|
|
|
.B getpeercon
|
|
retrieves context of peer socket, and set *context to refer to it, which must be free'd with freecon.
|
|
|
|
.B freecon
|
|
frees the memory allocated for a security context.
|
|
|
|
.B freeconary
|
|
frees the memory allocated for a context array.
|
|
|
|
If
|
|
.I con
|
|
is NULL, no operation is performed.
|
|
|
|
.B setcon
|
|
sets the current security context of the process to a new value. Note
|
|
that use of this function requires that the entire application be
|
|
trusted to maintain any desired separation between the old and new
|
|
security contexts, unlike exec-based transitions performed via
|
|
setexeccon(3). When possible, decompose your application and use
|
|
setexeccon() and execve() instead.
|
|
|
|
Since access to file descriptors is revalidated upon use by SELinux,
|
|
the new context must be explicitly authorized in the policy to use the
|
|
descriptors opened by the old context if that is desired. Otherwise,
|
|
attempts by the process to use any existing descriptors (including
|
|
stdin, stdout, and stderr) after performing the setcon() will fail.
|
|
|
|
A multi-threaded application can perform a setcon() prior to creating
|
|
any child threads, in which case all of the child threads will inherit
|
|
the new context. However, setcon() will fail if there are any other
|
|
threads running in the same process.
|
|
|
|
If the process was being ptraced at the time of the setcon()
|
|
operation, ptrace permission will be revalidated against the new
|
|
context and the setcon() will fail if it is not allowed by policy.
|
|
|
|
.SH "RETURN VALUE"
|
|
On error -1 is returned. On success 0 is returned.
|
|
|
|
.SH "SEE ALSO"
|
|
.BR selinux "(8), " setexeccon "(3)"
|