getcon

getcon

The getcon command is a specialized utility within the SELinux (Security-Enhanced Linux) framework, designed to retrieve and display the security context of the process that executes it. In SELinux, a security context is a label applied to every object (processes, files, network ports, etc.) that defines its security attributes, including the user, role, type, and optionally, sensitivity and category (for MLS/MCS systems). This context is fundamental to how SELinux enforces access control, determining what a process can and cannot do based on its own context and the contexts of other objects it tries to access.

getcon is primarily used for debugging, scripting, or quickly verifying the security context of a running shell or application. Unlike commands like ls -Z or ps -Z which show contexts of files or other processes, getcon specifically reports the context of the current process, making it a direct tool for understanding the caller's privileges from an SELinux perspective. Its output is typically in the format user:role:type:level, providing a concise summary of the process's current security identity.

This command is only useful and will only produce meaningful output if SELinux is enabled and running on the system. If SELinux is disabled, it might return an error or a default unconfined context.

getcon exclusively displays the security context of the current process (the shell or script from which it's executed). It cannot be used to query the contexts of other files, directories, or processes. For those purposes, related SELinux utilities like ls -Z, ps -Z, or id -Z should be used.

The output format is fixed and cannot be customized via command-line options.

The output of getcon typically follows the format:
user:role:type:level
For example: unconfined_u:unconfined_r:unconfined_t:s0
Where:
user: Represents the SELinux user identity.
role: Defines the role that the SELinux user is allowed to assume.
type: The most crucial component, representing the domain for a process or the type for a file. This is the primary attribute used by policy rules to determine access.
level: (Optional) Sensitivity and category information, relevant for Multi-Level Security (MLS) or Multi-Category Security (MCS) systems (e.g., s0, s0:c0.c1023).

The getcon command emerged as part of the ongoing development of SELinux, a mandatory access control (MAC) security mechanism for Linux, primarily initiated by the National Security Agency (NSA) and later integrated into the Linux kernel and widely adopted by distributions like Red Hat Enterprise Linux. Its inclusion in the libselinux-utils package highlights its role as a fundamental utility for interacting with and understanding the SELinux security context system. Its design is intentionally minimalistic, reflecting its core purpose of providing a quick, straightforward way for users and scripts to query the current process's security identity within the SELinux security model.

setcon(1), id(1), ls(1), ps(1), chcon(1), semanage(8), selinux(8)