tequilaOS/platform_external_selinux
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_external_selinux/libselinux/man/man3/getcon.3
Eric Paris 297d2bee23 libselinux: merge freecon with getcon man page 
The getcon man page already includes setcon() and other non-"get"
entries.  Why send people somewhere else just for freecon?  Put it here.

Signed-off-by: Eric Paris <eparis@redhat.com>
2011-12-21 12:35:06 -05:00

78 lines
2.6 KiB
Groff
Raw Blame History

.TH "getcon" "3" "21 December 2011" "russell@coker.com.au" "SELinux API documentation"
.SH "NAME"
getcon, getprevcon, getpidcon \- get SELinux security context of a process.
freecon, freeconary \- free memory associated with SELinux security contexts.
getpeercon - get security context of a peer socket.
setcon - set current security context of a process.
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
.sp
.BI "int getcon(security_context_t *" context );
.BI "int getprevcon(security_context_t *" context );
.BI "int getpidcon(pid_t " pid ", security_context_t *" context );
.BI "int getpeercon(int " fd ", security_context_t *" context);
.BI "void freecon(security_context_t "con );
.BI "void freeconary(security_context_t *" con );
.BI "int setcon(security_context_t " context);
.SH "DESCRIPTION"
.B getcon
retrieves the context of the current process, which must be free'd with
freecon.
.B getprevcon
same as getcon but gets the context before the last exec.
.B getpidcon
returns the process context for the specified PID.
.B getpeercon
retrieves context of peer socket, and set *context to refer to it, which must be free'd with freecon.
.B freecon
frees the memory allocated for a security context.
.B freeconary
frees the memory allocated for a context array.
If
.I con
is NULL, no operation is performed.
.B setcon
sets the current security context of the process to a new value. Note
that use of this function requires that the entire application be
trusted to maintain any desired separation between the old and new
security contexts, unlike exec-based transitions performed via
setexeccon(3). When possible, decompose your application and use
setexeccon() and execve() instead.
Since access to file descriptors is revalidated upon use by SELinux,
the new context must be explicitly authorized in the policy to use the
descriptors opened by the old context if that is desired. Otherwise,
attempts by the process to use any existing descriptors (including
stdin, stdout, and stderr) after performing the setcon() will fail.
A multi-threaded application can perform a setcon() prior to creating
any child threads, in which case all of the child threads will inherit
the new context. However, setcon() will fail if there are any other
threads running in the same process.
If the process was being ptraced at the time of the setcon()
operation, ptrace permission will be revalidated against the new
context and the setcon() will fail if it is not allowed by policy.
.SH "RETURN VALUE"
On error -1 is returned. On success 0 is returned.
.SH "SEE ALSO"
.BR selinux "(8), " setexeccon "(3)"
Reference in a new issue View git blame Copy permalink