chcontext [options] <command arguments>


chcontext allocates a new security context and executes a command in that context. By default, a new/unused context is allocated


--cap CAP_NAME

Add a capability from the command. This option may be repeated several time. See /usr/include/linux/capability.h In general, this option is used with the --secure option. --secure removes most critical capabilities and --cap adds specific ones.

--cap !CAP_NAME

Remove a capability from the command. This option may be repeated several time. See /usr/include/linux/capability.h

--ctx num

Select the context. Only root in context 0 is allowed to select a specific context. Context number 1 is special. It can see all processes in any contexts, but can't kill them though.


Start the command in background and make the process a child of process 1.

--domainname new_domainname

Set the domainname (NIS) in the new security context. Use "none" to unset the domainname.


Set one flag in the new or current security context. The following flags are supported. The option may be used several time.

   lock: The new process is trapped and can't use
         chcontext anymore.
   sched: The new process and its children will
          share a common execution priority.
   nproc: Limit the number of process in the
          vserver according to ulimit setting.
          Normally, ulimit is a per user thing.
          With this flag, it becomes a per vserver
   private: No one can join this security context
            once created.

--hostname new_hostname

Set the hostname in the new security context. This is needed because if you create a less privileged security context, it may be unable to change its hostname.


Remove all the capabilities to make a virtual server trustable.


Do not print the allocated context number.

Information about context is found in /proc/self/status




# You must be root, running X. # We start an xterm in another security context /usr/sbin/chcontext xterm &

# We check, there is no xterm running, yet we can # see it. ps ax | grep xterm

# Are we running in security context 0 # We check the s_context line in /proc/self/status cat /proc/self/status

# Ok we in security context 0 # Try the security context 1 /usr/sbin/chcontext --ctx 1 ps ax | grep xterm

# Ok, we see the xterm, we try to kill it /usr/sbin/chcontext --ctx 1 killall xterm

# No, security context 1 can see, but can't kill # let's find out in which security context this # xterm is running /usr/sbin/chcontext --ctx 1 ps ax | grep xterm

# Ok, this is PID XX. We need the security context /usr/sbin/chcontext --ctx 1 cat /proc/XX/status

# We see the s_context, this is SS. # We want to kill this process /usr/sbin/chcontext --ctx SS killall xterm

Please contribute some, if you feel it's important.


This Man page was written by Klavs Klavsen <[email protected]> and based upon the helpful output from the program itself and the documentation on the Virtual Server site <>

RELATED TO chcontext…