HTML rendering created 2025-09-06 byMichael Kerrisk, author ofThe Linux Programming Interface. For details of in-depthLinux/UNIX system programming training courses that I teach, lookhere. Hosting byjambit GmbH. |  |
NAME |SYNOPSIS |DESCRIPTION |RETURN VALUE |SEE ALSO |COLOPHON | |
getexeccon(3) SELinux API documentationgetexeccon(3)getexeccon, setexeccon - get or set the SELinux security context used for executing a new process rpm_execcon - run a helper for rpm in an appropriate security context
#include <selinux/selinux.h>int getexeccon(char **context);int getexeccon_raw(char **context);int setexeccon(const char *context);int setexeccon_raw(const char *context);int setexecfilecon(const char *filename, const char*fallback_type);int rpm_execcon(unsigned intverified, const char *filename, char*constargv[] , char *constenvp[]);
getexeccon() retrieves the context used for executing a new process. This returned context should be freed withfreecon(3) if non-NULL.getexeccon() sets*context to NULL if no exec context has been explicitly set by the program (i.e. using the default policy behavior).setexeccon() sets the context used for the nextexecve(2) call. NULL can be passed tosetexeccon() to reset to the default policy behavior. The exec context is automatically reset after the nextexecve(2), so a program doesn't need to explicitly sanitize it upon startup.setexeccon() can be applied prior to library functions that internally perform anexecve(2), e.g.execl*(3),execv*(3),popen(3), in order to set an exec context for that operation.getexeccon_raw() andsetexeccon_raw() behave identically to their non-raw counterparts but do not perform context translation.Note:Signal handlers that perform anexecve(2) must take care to save, reset, and restore the exec context to avoid unexpected behavior.setexecfilecon() sets the context used for the nextexecve(2) call, based on the policy for thefilename, and falling back to a new context with afallback_type in case there is no transition.rpm_execcon() is deprecated; please usesetexecfilecon() in conjunction withexecve(2) in all new code. This function runs a helper for rpm in an appropriate security context. The verified parameter should contain the return code from the signature verification (0 == ok, 1 == notfound, 2 == verifyfail, 3 == nottrusted, 4 == nokey), although this information is not yet used by the function. The function determines the proper security context for the helper based on policy, sets the exec context accordingly, and then executes the specified filename with the provided argument and environment arrays.
On failure, -1 is returned anderrno is set appropriately. On successgetexeccon(),setexeccon() andsetexecfilecon() return 0.rpm_execcon() only returns upon errors, as it callsexecve(2).
selinux(8),freecon(3),getcon(3)
This page is part of theselinux (Security-Enhanced Linux user- space libraries and tools) project. Information about the project can be found at ⟨https://github.com/SELinuxProject/selinux/wiki⟩. If you have a bug report for this manual page, see ⟨https://github.com/SELinuxProject/selinux/wiki/Contributing⟩. This page was obtained from the project's upstream Git repository ⟨https://github.com/SELinuxProject/selinux⟩ on 2025-08-11. (At that time, the date of the most recent commit that was found in the repository was 2025-08-04.) If you discover any rendering problems in this HTML version of the page, or you believe there is a better or more up-to-date source for the page, or you have corrections or improvements to the information in this COLOPHON (which isnot part of the original manual page), send a mail to man-pages@man7.orgrussell@coker.com.au 1 January 2004getexeccon(3)Pages that refer to this page:getcon(3), getfscreatecon(3), getkeycreatecon(3), systemd.exec(5)
HTML rendering created 2025-09-06 byMichael Kerrisk, author ofThe Linux Programming Interface. For details of in-depthLinux/UNIX system programming training courses that I teach, lookhere. Hosting byjambit GmbH. | |