chcon

View security context of a file

$ ls [[-lZ|-l --context]] [path/to/file]

$ chcon --reference [reference_file] [target_file]

$ chcon [user]:[role]:[type]:[range/level] [filename]

$ chcon [[-u|--user]] [user] [filename]

$ chcon [[-r|--role]] [role] [filename]

$ chcon [[-t|--type]] [type] [filename]

$ chcon [[-l|--range]] [range/level] [filename]

chcon [OPTION]... CONTEXT FILE...
chcon [OPTION]... --reference=RFILE FILE...
chcon [OPTION]... -u USER -r ROLE -t TYPE -l RANGE FILE...

CONTEXT
    The target SELinux context (e.g., user:role:type:sensitivity).

-u, --user=USER
    Set the SELinux user component of the security context.

-r, --role=ROLE
    Set the SELinux role component of the security context.

-t, --type=TYPE
    Set the SELinux type component of the security context. This is often the most critical component for policy enforcement.

-l, --range=RANGE
    Set the SELinux sensitivity level or range (e.g., s0, s0:c0.c1023).

--reference=RFILE
    Use the security context of RFILE instead of specifying CONTEXT explicitly.

-R, --recursive
    Change contexts of files and directories recursively.

-v, --verbose
    Output a diagnostic for every file processed.

-f, --force
    Suppress most error messages.

-h, --no-dereference
    Affect symbolic links themselves instead of their targets.

-H
    If a command line argument is a symbolic link to a directory, traverse it.

-L
    Traverse every symbolic link to a directory encountered.

-P
    Do not traverse any symbolic links (this is the default behavior).

--help
    Display help information and exit.

--version
    Output version information and exit.

The chcon command, standing for "change context," is a crucial utility in Linux systems employing SELinux (Security-Enhanced Linux). It allows system administrators to explicitly modify the SELinux security context of files, directories, and other file system objects. SELinux uses these contexts, which are extended attributes containing information like the SELinux user, role, type, and sensitivity level (e.g., system_u:object_r:httpd_sys_content_t:s0), to enforce mandatory access control (MAC) policies. Unlike traditional discretionary access control (DAC) permissions (read, write, execute), SELinux contexts provide a more granular and robust security mechanism.

When files are created or moved, they typically inherit contexts from their parent directories or the creating process. However, in certain scenarios, such as when copying files from external sources, restoring backups, or troubleshooting SELinux denials, the inherited context might be incorrect or insufficient. chcon enables administrators to correct these labels manually, ensuring that applications and services have the necessary permissions to access resources and that the system maintains its security posture according to the defined SELinux policy. Proper context labeling is essential for SELinux to function correctly and prevent unauthorized operations.

Using chcon requires a deep understanding of SELinux policies and contexts.

Incorrectly setting contexts can lead to significant system malfunctions, including applications failing to start, "Permission denied" errors for seemingly legitimate operations, or even system boot failures if critical system files are mislabeled.

It is generally safer and recommended to use the restorecon command to revert files to their default, policy-defined SELinux contexts, especially after restoring backups or moving files into standard locations, rather than manually setting contexts with chcon unless you have a specific, expert-level reason to do so. The changes made by chcon are immediate and persistent until explicitly changed again or reset by restorecon.

While both commands manipulate SELinux contexts, chcon allows you to explicitly set a context to any value you specify. In contrast, restorecon is designed to reset file contexts to their default values, as defined by the installed SELinux policy. restorecon uses the policy rules to determine the correct context for a given file path, making it the preferred command for fixing labeling issues automatically rather than manually assigning labels with chcon.

An SELinux context is typically composed of four fields:
user: Represents an SELinux user identity, often mapping to a Linux user.
role: Defines a role that the user or process can assume, influencing what types they can access.
type: The most crucial component for file system objects, defining the type of the object (e.g., httpd_sys_content_t for web content, bin_t for executables). SELinux policy rules are heavily based on types.
sensitivity[:category]: Used for Multi-Level Security (MLS) or Multi-Category Security (MCS) and typically seen as s0 for single-level systems or s0:c0.c1023 for MCS.

chcon is an integral part of the SELinux toolkit, which originated from the National Security Agency (NSA) as a research project to enhance security in Linux. It was integrated into the Linux kernel mainline in 2003. The chcon utility itself, along with restorecon and other SELinux management tools, is typically part of the policycoreutils package on distributions that heavily leverage SELinux, such as Red Hat Enterprise Linux (RHEL), CentOS, and Fedora. Its development has closely tracked the evolution and adoption of SELinux as a robust mandatory access control framework, becoming essential for administrators managing SELinux-enabled systems.

restorecon(8), semanage(8), ls(1) -Z option, ps(1) -Z option, chown(1), chmod(1)