|
HTML rendering created 2024-06-26 by Michael Kerrisk, author of The Linux Programming Interface. For details of in-depth Linux/UNIX system programming training courses that I teach, look here. Hosting by jambit GmbH. |
|
|
NAME | SYNOPSIS | DESCRIPTION | RETURN VALUE | SEE ALSO | COLOPHON |
|
|
|
getexeccon(3) SELinux API documentation getexeccon(3)
getexeccon, setexeccon - get or set the SELinux security context
used for executing a new process
rpm_execcon - run a helper for rpm in an appropriate security
context
#include <selinux/selinux.h>
int getexeccon(char **context);
int getexeccon_raw(char **context);
int setexeccon(char *context);
int setexeccon_raw(char *context);
int setexecfilecon(const char *filename, const char
*fallback_type);
int rpm_execcon(unsigned int verified, const char *filename, char
*const argv[] , char *const envp[]);
getexeccon() retrieves the context used for executing a new
process. This returned context should be freed with freecon(3)
if non-NULL. getexeccon() sets *context to NULL if no exec
context has been explicitly set by the program (i.e. using the
default policy behavior).
setexeccon() sets the context used for the next execve(2) call.
NULL can be passed to setexeccon() to reset to the default policy
behavior. The exec context is automatically reset after the next
execve(2), so a program doesn't need to explicitly sanitize it
upon startup.
setexeccon() can be applied prior to library functions that
internally perform an execve(2), e.g. execl*(3), execv*(3),
popen(3), in order to set an exec context for that operation.
getexeccon_raw() and setexeccon_raw() behave identically to their
non-raw counterparts but do not perform context translation.
Note: Signal handlers that perform an execve(2) must take care to
save, reset, and restore the exec context to avoid unexpected
behavior.
setexecfilecon() sets the context used for the next execve(2)
call, based on the policy for the filename, and falling back to a
new context with a fallback_type in case there is no transition.
rpm_execcon() is deprecated; please use setexecfilecon() in
conjunction with execve(2) in all new code. This function runs a
helper for rpm in an appropriate security context. The verified
parameter should contain the return code from the signature
verification (0 == ok, 1 == notfound, 2 == verifyfail, 3 ==
nottrusted, 4 == nokey), although this information is not yet
used by the function. The function determines the proper
security context for the helper based on policy, sets the exec
context accordingly, and then executes the specified filename
with the provided argument and environment arrays.
On error -1 is returned.
On success getexeccon(), setexeccon() and setexecfilecon() return
0. rpm_execcon() only returns upon errors, as it calls
execve(2).
selinux(8), freecon(3), getcon(3)
This page is part of the selinux (Security-Enhanced Linux user-
space libraries and tools) project. Information about the
project can be found at
⟨https://github.com/SELinuxProject/selinux/wiki⟩. If you have a
bug report for this manual page, see
⟨https://github.com/SELinuxProject/selinux/wiki/Contributing⟩.
This page was obtained from the project's upstream Git repository
⟨https://github.com/SELinuxProject/selinux⟩ on 2024-06-14. (At
that time, the date of the most recent commit that was found in
the repository was 2023-05-11.) If you discover any rendering
problems in this HTML version of the page, or you believe there
is a better or more up-to-date source for the page, or you have
corrections or improvements to the information in this COLOPHON
(which is not part of the original manual page), send a mail to
man-pages@man7.org
russell@coker.com.au 1 January 2004 getexeccon(3)
Pages that refer to this page: getcon(3), getfscreatecon(3), getkeycreatecon(3), systemd.exec(5)
|
HTML rendering created 2024-06-26 by Michael Kerrisk, author of The Linux Programming Interface. For details of in-depth Linux/UNIX system programming training courses that I teach, look here. Hosting by jambit GmbH. |
|