LinuxCommandLibrary

chcon

Change file security context

TLDR

View security context of a file

$ ls [[-lZ|-l --context]] [path/to/file]
copy

Change the security context of a target file, using a reference file
$ chcon --reference [reference_file] [target_file]
copy

Change the full SELinux security context of a file
$ chcon [user]:[role]:[type]:[range/level] [filename]
copy

Change only the user part of SELinux security context
$ chcon [[-u|--user]] [user] [filename]
copy

Change only the role part of SELinux security context
$ chcon [[-r|--role]] [role] [filename]
copy

Change only the type part of SELinux security context
$ chcon [[-t|--type]] [type] [filename]
copy

Change only the range/level part of SELinux security context
$ chcon [[-l|--range]] [range/level] [filename]
copy

SYNOPSIS

chcon [OPTION]... CONTEXT FILE...
chcon [OPTION]... {--reference=REF_FILE | --reference REF_FILE} FILE...

PARAMETERS

-c, --changes
    diagnose files changed

-f, --silent, --quiet
    suppress most error messages

-h, --no-dereference
    affect symlinks instead of targets

-l, --range=LEVELRANGE
    set SELinux levelrange

-r, --role=ROLE
    set SELinux role

-R, --recursive
    recurse into directories

-t, --type=TYPE
    set SELinux type

-u, --user=USER
    set SELinux user or USER:ROLE

-v, --verbose
    output message for each use

-Z
    compute and set context (alias for --context=?)

--reference[=RFILE]
    use RFILE's context as reference

--help
    display help and exit

--version
    output version information

DESCRIPTION

chcon is a command-line utility used to modify the SELinux (Security-Enhanced Linux) security context of files and directories. SELinux contexts consist of four components: user:role:type:sensitivity:categories, which define access permissions beyond standard Unix DAC.

It allows direct assignment of a full context string or partial updates (e.g., just type with -t). Unlike restorecon, which resets to policy-defined defaults, chcon sets arbitrary contexts, making it powerful but risky if misused—invalid contexts can deny access or violate policy.

Common use cases include labeling files for specific domains during custom setups, like web content (httpd_sys_content_t) or user home directories. Always verify contexts with ls -Z afterward. Recursive operation (-R) is useful for directories but exercise caution to avoid widespread mislabeling.

chcon reads contexts from stdin if CONTEXT is -, supports reference files, and provides verbose/changes reporting. It's essential for SELinux administration on systems enforcing mandatory access control (MAC).

CAVEATS

Misusing chcon can set invalid contexts, breaking SELinux policy enforcement or denying access. Prefer restorecon for defaults. Root privileges often required.

CONTEXT FORMAT

Contexts are user:role:type:s0-s0:c0.c1023. Partial: -t httpd_exec_t keeps user/role/range; =user_u:object_r:default_t:s0 sets full.

EXAMPLES

chcon -t httpd_sys_content_t /var/www/html/file.html
chcon -R -u system_u -r object_r -t user_tmp_t /tmp/mydir
chcon --reference=/etc/passwd /home/user/file

HISTORY

chcon originated in SELinux tools (circa 2000) and was integrated into GNU coreutils around version 6.10 (2007), aligning with growing SELinux adoption in distributions like Fedora and RHEL.

SEE ALSO

restorecon(8), ls(1), getcon(1), semanage(8), sepolicy(8)

Copied to clipboard