matchpathcon

Lookup the persistent security context setting of an absolute path

$ matchpathcon [/path/to/file]

$ matchpathcon -m [file|dir|pipe|chr_file|blk_file|lnk_file|sock_file] [/path/to/file]

$ matchpathcon -V [/path/to/file]

matchpathcon [options] path...

matchpathcon looks up the default SELinux security context for a given file path based on the file context configuration. It shows what context a file should have according to the SELinux policy, regardless of its current context.
This is useful for diagnosing SELinux issues—comparing the expected context (from matchpathcon) with the actual context (from ls -Z) reveals whether a file has been mislabeled.
The -V (verify) option directly compares the expected and actual contexts, reporting mismatches that may cause SELinux denials.

-m _type_

Restrict lookup to a specific file type: file, dir, pipe, chrfile, blkfile, lnkfile, or sockfile

Verify that the current context matches the expected persistent context

Do not display the path in output

Do not look up the context in the policy

Use an alternate policy root path

Only works on systems with SELinux enabled. The lookup is based on file path patterns, not actual file attributes. A path may match multiple patterns; the most specific pattern wins. This command shows policy defaults, not runtime overrides.

semanage-fcontext(8), restorecon(8), chcon(1), secon(1), ls(1)