HTML rendering created 2025-09-06 byMichael Kerrisk, author ofThe Linux Programming Interface. For details of in-depthLinux/UNIX system programming training courses that I teach, lookhere. Hosting byjambit GmbH. |  |
NAME |SYNOPSIS |DESCRIPTION |RETURN VALUE |NOTES |SEE ALSO |COLOPHON | |
getcon(3) SELinux API documentationgetcon(3)getcon, getprevcon, getpidcon - get SELinux security context of a process freecon, freeconary - free memory associated with SELinux security contexts getpeercon - get security context of a peer socket setcon - set current security context of a process
#include <selinux/selinux.h>int getcon(char **context);int getcon_raw(char **context);int getprevcon(char **context);int getprevcon_raw(char **context);int getpidcon(pid_tpid, char **context);int getpidcon_raw(pid_tpid, char **context);int getpidprevcon(pid_tpid, char **context);int getpidprevcon_raw(pid_tpid, char **context);int getpeercon(intfd, char **context);int getpeercon_raw(intfd, char **context);void freecon(char *con);void freeconary(char **con);int setcon(const char *context);int setcon_raw(const char *context);
getcon() retrieves the context of the current process, which must be free'd withfreecon().getprevcon() same as getcon but gets the context before the last exec.getpidcon() returns the process context for the specified PID, which must be free'd withfreecon().getpidprevcon() returns the process context before the last exec for the specified PID, which must be free'd withfreecon().getpeercon() retrieves the context of the peer socket, which must be free'd withfreecon().freecon() frees the memory allocated for a security context. Ifcon is NULL, no operation is performed.freeconary() frees the memory allocated for a context array. Ifcon is NULL, no operation is performed.setcon() sets the current security context of the process to a new value. Note that use of this function requires that the entire application be trusted to maintain any desired separation between the old and new security contexts, unlike exec-based transitions performed viasetexeccon(3). When possible, decompose your application and usesetexeccon(3) andexecve(3) instead. Since access to file descriptors is revalidated upon use by SELinux, the new context must be explicitly authorized in the policy to use the descriptors opened by the old context if that is desired. Otherwise, attempts by the process to use any existing descriptors (includingstdin,stdout, andstderr) after performing thesetcon() will fail. A multi-threaded application can perform asetcon() prior to creating any child threads, in which case all of the child threads will inherit the new context. However, prior to Linux 2.6.28,setcon() would fail if there are any other threads running in the same process since this would yield an inconsistency among the security contexts of threads sharing the same memory space. Since Linux 2.6.28,setcon()is permitted for threads within a multi-threaded process if the new security context is bounded by the old security context, where the bounded relation is defined through typebounds statements in the policy and guarantees that the new security context has a subset of the permissions of the old security context. If the process was being ptraced at the time of thesetcon() operation, ptrace permission will be revalidated against the new context and thesetcon() will fail if it is not allowed by policy.*_raw()getcon_raw(),getprevcon_raw(),getpidcon_raw(),getpidprevcon_raw(),getpeercon_raw() andsetcon_raw() behave identically to their non-raw counterparts but do not perform context translation.
On error -1 is returned with errno set. On success 0 is returned.
The retrieval functions might return success and set*context to NULL if and only if SELinux is not enabled. Querying a foreign process via its PID, e.g.getpidcon() orgetpidprevcon(), is inherently racy and therefore should never be relied upon for security purposes.
selinux(8),setexeccon(3)
This page is part of theselinux (Security-Enhanced Linux user- space libraries and tools) project. Information about the project can be found at ⟨https://github.com/SELinuxProject/selinux/wiki⟩. If you have a bug report for this manual page, see ⟨https://github.com/SELinuxProject/selinux/wiki/Contributing⟩. This page was obtained from the project's upstream Git repository ⟨https://github.com/SELinuxProject/selinux⟩ on 2025-08-11. (At that time, the date of the most recent commit that was found in the repository was 2025-08-04.) If you discover any rendering problems in this HTML version of the page, or you believe there is a better or more up-to-date source for the page, or you have corrections or improvements to the information in this COLOPHON (which isnot part of the original manual page), send a mail to man-pages@man7.orgrussell@coker.com.au 21 December 2011getcon(3)Pages that refer to this page:avc_context_to_sid(3), getexeccon(3), getfilecon(3), getfscreatecon(3), getkeycreatecon(3), get_ordered_context_list(3), getsockcreatecon(3), matchmediacon(3), matchpathcon(3), matchpathcon_checkmatches(3), security_class_to_string(3), security_compute_av(3), selabel_lookup(3), selabel_lookup_best_match(3), selinux_lsetfilecon_default(3), selinux_set_callback(3), setfilecon(3), set_matchpathcon_flags(3), selabel_db(5), selabel_file(5), selabel_media(5), selabel_x(5)
HTML rendering created 2025-09-06 byMichael Kerrisk, author ofThe Linux Programming Interface. For details of in-depthLinux/UNIX system programming training courses that I teach, lookhere. Hosting byjambit GmbH. | |