alter and consume SELinux
||context program [argument]…|
Without program, writes the current SELinux security context, followed by a newline, to the standard output stream.
Otherwise, executes program arguments with a different context, if valid:
- with context
- with at least one of
getcon() with the specified fields altered,
- the context computed to label a new object, from
getcon() to the filesystem context of program, in the "
process" security class, with fields overriden as specified by
-urtl, if any.
- Pre-compute context transition, cf. DESCRIPTION.
- Set user (the first field) to user.
- Set role (the second field) to role.
- Set type (the third field) to type.
- Set level-range (the fourth field) to range.
- In which program is searched when requested (except
-c), confer execvp(3).
- program wasn't found.
- program exists, but couldn't be executed for a different reason.
- an error occurred in
runcon(SELinux is not active, the final context or a field is invalid, &c.).
- All others
- returned by program, if executed, or 0.
runcon(1), getcon(3), getfscon(3), security_check_context(3), setexeccon(3), selinux(8)
Compatible with the GNU system, which exits
1 for set-up
errors and executes program from the
PATH even with
-c, but uses
it verbatim as a
getfscon() argument — this
true will fail unless there's a
true file in the current working directory and, if
will be used for the computation, rather than
true's. This simply
begs for a trojan horse scenario. Cf.
runcon -c getfscon()s program verbatim but execve()s it; trojan