LinuxCommandLibrary
GitHubF-DroidGoogle Play Store

matchpathcon

looks up the default SELinux security context for a given file path

TLDR

Lookup the persistent security context setting of an absolute path
$ matchpathcon [/path/to/file]
copy
Restrict lookup to settings on a specific file type
$ matchpathcon -m [file|dir|pipe|chr_file|blk_file|lnk_file|sock_file] [/path/to/file]
copy
Verify that the persistent and current security context agree
$ matchpathcon -V [/path/to/file]
copy

SYNOPSIS

matchpathcon [options] path...

DESCRIPTION

matchpathcon looks up the default SELinux security context for a given file path based on the file context configuration. It shows what context a file should have according to the SELinux policy, regardless of its current context.This is useful for diagnosing SELinux issues—comparing the expected context (from matchpathcon) with the actual context (from ls -Z) reveals whether a file has been mislabeled.The -V (verify) option directly compares the expected and actual contexts, reporting mismatches that may cause SELinux denials.

PARAMETERS

-m _type_

Restrict lookup to a specific file type: file, dir, pipe, chrfile, blkfile, lnkfile, or sockfile
-V
Verify that the current context matches the expected persistent context
-n
Do not display the path in output
-N
Do not look up the context in the policy
-P _policy_path_
Use an alternate policy root path

CAVEATS

Only works on systems with SELinux enabled. The lookup is based on file path patterns, not actual file attributes. A path may match multiple patterns; the most specific pattern wins. This command shows policy defaults, not runtime overrides.

SEE ALSO

semanage-fcontext(8), restorecon(8), chcon(1), secon(1), ls(1)

Copied to clipboard
Kai