secon(1) [debian man page]

SECON(1)								NSA								  SECON(1)

NAME

       secon - See an SELinux context, from a file, program or user input.

SYNOPSIS

       secon [-hVurtscmPRfLp] [CONTEXT]
       [--file] FILE
       [--link] FILE
       [--pid] PID

DESCRIPTION

       See a part of a context. The context is taken from a file, pid, user input or the context in which secon is originally executed.

       -V, --version
	      shows the current version of secon

       -h, --help
	      shows the usage information for secon

       -P, --prompt
	      outputs data in a format suitable for a prompt

       -u, --user
	      show the user of the security context

       -r, --role
	      show the role of the security context

       -t, --type
	      show the type of the security context

       -s, --sensitivity
	      show the sensitivity level of the security context

       -c, --clearance
	      show the clearance level of the security context

       -m, --mls-range
	      show the sensitivity level and clearance, as a range, of the security context

       -R, --raw
	      outputs  the sensitivity level and clearance in an untranslated format.

       -f, --file
	      gets the context from the specified file FILE

       -L, --link
	      gets the context from the specified file FILE (doesn't follow symlinks)

       -p, --pid
	      gets the context from the specified process PID

       --pid-exec
	      gets the exec context from the specified process PID

       --pid-fs
	      gets the fscreate context from the specified process PID

       --current, --self
	      gets the context from the current process

       --current-exec, --self-exec
	      gets the exec context from the current process

       --current-fs, --self-fs
	      gets the fscreate context from the current process

       --parent
	      gets the context from the parent of the current process

       --parent-exec
	      gets the exec context from the parent of the current process

       --parent-fs
	      gets the fscreate context from the parent of the current process

       Additional  argument CONTEXT may be provided and will be used if no options have been specified to make secon get it's context from another
       source.	If that argument is - then the context will be read from stdin.
       If there is no arugment, secon will try reading a context from stdin, if that is not a tty, otherwise secon will act as though  --self  had
       been passed.

       If none of --user, --role, --type, --level or --mls-range is passed.  Then all of them will be output.

SEE ALSO

       chcon (1)

AUTHORS

       James Antill (james.antill@redhat.com)

Security Enhanced Linux 					    April 2006								  SECON(1)

getcon(3)						     SELinux API documentation							 getcon(3)

NAME

       getcon, getprevcon, getpidcon - get SELinux security context of a process

       freecon, freeconary - free memory associated with SELinux security contexts

       getpeercon - get security context of a peer socket

       setcon - set current security context of a process

SYNOPSIS

       #include <selinux/selinux.h>

       int getcon(security_context_t *context);

       int getcon_raw(security_context_t *context);

       int getprevcon(security_context_t *context);

       int getprevcon_raw(security_context_t *context);

       int getpidcon(pid_t pid, security_context_t *context);

       int getpidcon_raw(pid_t pid, security_context_t *context);

       int getpeercon(int fd, security_context_t *context);

       int getpeercon_raw(int fd, security_context_t *context);

       void freecon(security_context_t con);

       void freeconary(security_context_t *con);

       int setcon(security_context_t context);

       int setcon_raw(security_context_t context);

DESCRIPTION

       getcon() retrieves the context of the current process, which must be free'd with freecon.

       getprevcon() same as getcon but gets the context before the last exec.

       getpidcon() returns the process context for the specified PID.

       getpeercon() retrieves context of peer socket, and set *context to refer to it, which must be free'd with freecon().

       freecon() frees the memory allocated for a security context.

       freeconary() frees the memory allocated for a context array.

       If con is NULL, no operation is performed.

       setcon() sets the current security context of the process to a new value.  Note that use of this function requires that the entire applica-
       tion be trusted to maintain any desired separation between the old and new security contexts, unlike exec-based transitions  performed  via
       setexeccon(3).  When possible, decompose your application and use setexeccon(3) and execve(3) instead.

       Since access to file descriptors is revalidated upon use by SELinux, the new context must be explicitly authorized in the policy to use the
       descriptors opened by the old context if that is desired.  Otherwise, attempts by the process to use any  existing  descriptors	(including
       stdin, stdout, and stderr) after performing the setcon() will fail.

       A  multi-threaded  application  can  perform  a	setcon()  prior to creating any child threads, in which case all of the child threads will
       inherit the new context.  However, setcon() will fail if there are any other threads running in the same process.

       If the process was being ptraced at the time of the setcon() operation, ptrace permission will be revalidated against the new  context  and
       the setcon() will fail if it is not allowed by policy.

       getcon_raw(),  getprevcon_raw(), getpidcon_raw(), getpeercon_raw() and setcon_raw() behave identically to their non-raw counterparts but do
       not perform context translation.

RETURN VALUE

       On error -1 is returned.  On success 0 is returned.

SEE ALSO

       selinux(8), setexeccon(3)

russell@coker.com.au						 21 December 2011							 getcon(3)