matchpathcon

Lookup the persistent security context setting of an absolute path

$ matchpathcon /[path/to/file]

$ matchpathcon -m [file|dir|pipe|chr_file|blk_file|lnk_file|sock_file] /[path/to/file]

$ matchpathcon -V /[path/to/file]

matchpathcon [-NnpV] [-f file_contexts] [-P policy_root] path [path...]

-N
    Do not canonicalize paths (i.e., do not perform path lookup). This prevents symbolic link resolution.

-n
    Do not display the context; instead, just return a 0 or 1 exit status indicating success or failure. Useful for scripting.

-p
    Display the prefix that matched the path from the file_contexts configuration, along with the predicted context.

-V
    Print version information for the matchpathcon utility.

-f file_contexts
    Specify an alternate file_contexts file to use instead of the system default. This is useful for testing custom policies.

-P policy_root
    Specify an alternate policy root directory. This allows checking contexts against a policy tree different from the active one.

path
    One or more file or directory paths for which to determine the default SELinux context.

matchpathcon is a utility that determines the default SELinux security context for a given file or directory path. It consults the system's SELinux policy file contexts (typically located in /etc/selinux//contexts/files) to predict what label a file or directory would receive if it were created or relabeled with restorecon.

This command is invaluable for SELinux administrators and developers to: 1. Understand how the policy applies contexts to different paths. 2. Troubleshoot SELinux permission denied errors by verifying expected contexts. 3. Plan file system layouts in SELinux enabled environments.

It does not modify any contexts on the file system; it only provides a prediction based on the loaded policy rules.

The context displayed by matchpathcon is a prediction based on the SELinux policy. It does not guarantee that the actual file on disk currently has that context. The actual context might differ if the file was manually labeled, if restorecon has not been run, or if the filesystem does not support SELinux labels. Always verify the actual context using ls -Z.

The command returns an exit status of 0 upon successful execution (meaning a context was found for the path), and 1 if an error occurred or no context could be determined for the specified path. This makes it suitable for use in shell scripts.

The output SELinux context typically follows the format: user:role:type:level (e.g., system_u:object_r:usr_t:s0). Each component provides specific security information about the object's label.

matchpathcon is an integral part of the SELinux user-space utilities, developed as part of the broader SELinux project which originated from the National Security Agency (NSA). Its development is intertwined with the evolution of SELinux itself, providing a foundational tool for understanding and managing file contexts. It has been a stable component of SELinux distributions since the early days, reflecting its critical role in policy debugging and administration.

restorecon(8), chcon(1), semanage(8), ls(1), setfiles(8)