getcon

getcon [-h|--help] [-V|--version]

-h, --help
    Show usage help message and exit

-V, --version
    Display version information and exit

getcon is a command-line utility from the SELinux (Security-Enhanced Linux) suite used to retrieve and print the SELinux security context of the current process to standard output. SELinux implements mandatory access control (MAC) through labels called security contexts, which are assigned to processes, files, and other objects. A typical context appears as user:role:type:range, where user identifies the SELinux user, role the role, type the domain/type for access decisions, and range the sensitivity level (for MLS/MCS policies).

This command calls the underlying getcon(2) or getcon_raw(3) library functions to query the kernel-enforced context. It is invaluable for SELinux troubleshooting, policy development, auditing process domains, and scripting context-aware automation. For instance, administrators use it to confirm domain transitions after runcon or service restarts.

getcon operates silently without arguments, producing one line of output. It requires SELinux support in the kernel and userspace libraries (libselinux). On systems without SELinux, it may fail or show default unconfined contexts.

Requires SELinux enabled (check with getenforce); fails silently or errors if disabled. Outputs only current process context (use getpidcon for others). Context format assumes canonical SELinux labeling.

$ getcon
system_u:system_r:init_t:s0

$ ps auxZ | grep init (compare with labeled ps output)

Single line: <user>:<role>:<type>:<range>
e.g., unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
range omitted in non-MLS systems.

Originated in the SELinux project started by NSA (1999-2001) for Flask/TE MAC framework. User-space tools like getcon added in early 2000s with libselinux. Entered Fedora/RHEL ~2004 (kernel 2.6.9+); now standard in most distros via libselinux-utils package.

getpidcon(1), setcon(1), runcon(1), getenforce(8), sestatus(8), selinuxenabled(1)