chcat

List all available categories

$ sudo chcat [[-L|--list]]

$ sudo chcat +[CategoryName] [path/to/file]

$ sudo chcat -- -[CategoryName] [path/to/file]

$ sudo chcat [CategoryName1,CategoryName2,...] [path/to/file]

$ ls [[-Z|--context]] [path/to/file]

$ sudo chcat [[-d|--delete]] [path/to/file]

chcat [options] category file...

-R, --recursive
    Recursively change category on directories and contents

-v, --verbose
    Output message for each processed file

-V, --version
    Display version information and exit

-h, --help
    Display help and exit

The chcat command sets or modifies the security.category extended attribute on files or directories. This attribute is an unsigned integer used for file categorization, often in Mandatory Access Control (MAC) systems or security policies like SELinux or Smack.

It is part of the attr package, which provides tools for manipulating extended attributes (xattrs) on Linux filesystems supporting them (e.g., ext4, XFS). The category value can be decimal, octal (prefixed with 0), or hexadecimal (prefixed with 0x).

Requires appropriate privileges (typically root or CAP_SYS_ADMIN). Without -R, it affects only specified files/directories. Verbose mode outputs changes for each processed item. If no files are given or '-' is used, reads paths from stdin.

Common use: enforcing security levels, e.g., chcat 42 /secure/files sets category 42.

Requires root or CAP_SYS_ADMIN; filesystem must support extended attributes; category is unsigned long integer (up to 2^64-1). No effect on non-xattr filesystems.

chcat -Rv 0x10 /tmp/files/
Recursively sets hex category 16 on /tmp/files/ with verbose output.

Pair with getcat to verify: getcat file retrieves current category.

Developed as part of the Linux attr package (since ~2000), implementing POSIX.1e draft specs for access control lists and categories. Maintained for extended attributes support in modern kernels.

getcat(1), setfattr(1), getfattr(1), lsattr(1)