getexeccon(3) SELinux API documentation getexeccon(3)
getexeccon, setexeccon - get or set the SELinux security context used for executing a new
rpm_execcon - run a helper for rpm in an appropriate security context
int getexeccon(security_context_t *context);
int getexeccon_raw(security_context_t *context);
int setexeccon(security_context_t context);
int setexeccon_raw(security_context_t context);
int rpm_execcon(unsigned int verified, const char *filename, char *const argv , char
getexeccon() retrieves the context used for executing a new process. This returned con-
text should be freed with freecon(3) if non-NULL. getexeccon() sets *context to NULL if
no exec context has been explicitly set by the program (i.e. using the default policy
setexeccon() sets the context used for the next execve(2) call. NULL can be passed to
setexeccon() to reset to the default policy behavior. The exec context is automatically
reset after the next execve(2), so a program doesn't need to explicitly sanitize it upon
setexeccon() can be applied prior to library functions that internally perform an
execve(2), e.g. execl*(3), execv*(3), popen(3), in order to set an exec context for that
getexeccon_raw() and setexeccon_raw() behave identically to their non-raw counterparts but
do not perform context translation.
Note: Signal handlers that perform an execve(2) must take care to save, reset, and restore
the exec context to avoid unexpected behavior.
rpm_execcon() runs a helper for rpm in an appropriate security context. The verified
parameter should contain the return code from the signature verification (0 == ok, 1 ==
notfound, 2 == verifyfail, 3 == nottrusted, 4 == nokey), although this information is not
yet used by the function. The function determines the proper security context for the
helper based on policy, sets the exec context accordingly, and then executes the specified
filename with the provided argument and environment arrays.
On error -1 is returned.
On success getexeccon() and setexeccon() returns 0. rpm_execcon() only returns upon
errors, as it calls execve(2).
selinux(8), freecon(3), getcon(3)
firstname.lastname@example.org 1 January 2004 getexeccon(3)