Provided by: libselinux1-dev_2.8-1build2_amd64 bug

NAME

       getcon, getprevcon, getpidcon - get SELinux security context of a process

       freecon, freeconary - free memory associated with SELinux security contexts

       getpeercon - get security context of a peer socket

       setcon - set current security context of a process

SYNOPSIS

       #include <selinux/selinux.h>

       int getcon(char **context);

       int getcon_raw(char **context);

       int getprevcon(char **context);

       int getprevcon_raw(char **context);

       int getpidcon(pid_t pid, char **context);

       int getpidcon_raw(pid_t pid, char **context);

       int getpeercon(int fd, char **context);

       int getpeercon_raw(int fd, char **context);

       void freecon(char *con);

       void freeconary(char **con);

       int setcon(char *context);

       int setcon_raw(char *context);

DESCRIPTION

       getcon() retrieves the context of the current process, which must be free'd with freecon.

       getprevcon() same as getcon but gets the context before the last exec.

       getpidcon() returns the process context for the specified PID.

       getpeercon() retrieves context of peer socket, and set *context to refer to it, which must
       be free'd with freecon().

       freecon() frees the memory allocated for a security context.

       freeconary() frees the memory allocated for a context array.

       If con is NULL, no operation is performed.

       setcon() sets the current security context of the process to a new value.  Note  that  use
       of  this  function requires that the entire application be trusted to maintain any desired
       separation between the old  and  new  security  contexts,  unlike  exec-based  transitions
       performed   via   setexeccon(3).   When  possible,  decompose  your  application  and  use
       setexeccon(3) and execve(3) instead.

       Since access to file descriptors is revalidated upon use by SELinux, the new context  must
       be explicitly authorized in the policy to use the descriptors opened by the old context if
       that is desired.  Otherwise, attempts by the  process  to  use  any  existing  descriptors
       (including stdin, stdout, and stderr) after performing the setcon() will fail.

       A  multi-threaded  application can perform a setcon() prior to creating any child threads,
       in which case all of the child threads will inherit the new context.   However,  prior  to
       Linux  2.6.28,  setcon()  would  fail  if  there are any other threads running in the same
       process since this would yield an inconsistency among the  security  contexts  of  threads
       sharing  the  same  memory  space.   Since Linux 2.6.28, setcon() is permitted for threads
       within a multi-threaded process if the new security context is bounded by the old security
       context, where the bounded relation is defined through typebounds statements in the policy
       and guarantees that the new security context has a subset of the permissions  of  the  old
       security context.

       If  the process was being ptraced at the time of the setcon() operation, ptrace permission
       will be revalidated against the new context and the  setcon()  will  fail  if  it  is  not
       allowed by policy.

       getcon_raw(),  getprevcon_raw(), getpidcon_raw(), getpeercon_raw() and setcon_raw() behave
       identically to their non-raw counterparts but do not perform context translation.

RETURN VALUE

       On error -1 is returned.  On success 0 is returned.

SEE ALSO

       selinux(8), setexeccon(3)