| .TH "getkeycreatecon" "3" "9 September 2008" "dwalsh@redhat.com" "SELinux API documentation" |
| .SH "NAME" |
| getkeycreatecon, setkeycreatecon \- get or set the SELinux security context used for creating a new kernel keyrings |
| . |
| .SH "SYNOPSIS" |
| .B #include <selinux/selinux.h> |
| .sp |
| .BI "int getkeycreatecon(char **" con ); |
| .sp |
| .BI "int getkeycreatecon_raw(char **" con ); |
| .sp |
| .BI "int setkeycreatecon(char * "context ); |
| .sp |
| .BI "int setkeycreatecon_raw(char * "context ); |
| . |
| .SH "DESCRIPTION" |
| .BR getkeycreatecon () |
| retrieves the context used for creating a new kernel keyring. |
| This returned context should be freed with |
| .BR freecon (3) |
| if non-NULL. |
| .BR getkeycreatecon () |
| sets *con to NULL if no keycreate context has been explicitly |
| set by the program (i.e. using the default policy behavior). |
| |
| .BR setkeycreatecon () |
| sets the context used for creating a new kernel keyring. |
| NULL can be passed to |
| .BR setkeycreatecon () |
| to reset to the default policy behavior. |
| The keycreate context is automatically reset after the next |
| .BR execve (2), |
| so a program doesn't need to explicitly sanitize it upon startup. |
| |
| .BR setkeycreatecon () |
| can be applied prior to library |
| functions that internally perform an file creation, |
| in order to set an file context on the objects. |
| |
| .BR getkeycreatecon_raw () |
| and |
| .BR setkeycreatecon_raw () |
| behave identically to their non-raw counterparts but do not perform context |
| translation. |
| |
| .B Note: |
| Signal handlers that perform a |
| .BR setkeycreatecon () |
| must take care to |
| save, reset, and restore the keycreate context to avoid unexpected behavior. |
| |
| .br |
| .B Note: |
| Contexts are thread specific. |
| . |
| .SH "RETURN VALUE" |
| On error \-1 is returned. |
| On success 0 is returned. |
| . |
| .SH "SEE ALSO" |
| .BR selinux "(8), " freecon "(3), " getcon "(3), " getexeccon "(3)" |