runcon

Print the security context of the current execution context

$ runcon

$ runcon [[-t|--type]] [domain]_t [command]

$ runcon [[-r|--role]] [role]_r [command]

$ runcon [user]_u:[role]_r:[domain]_t [command]

runcon [OPTIONS] CONTEXT COMMAND [ARGS]

CONTEXT
    The security context to run the command under.

COMMAND
    The command to execute.

[ARGS]
    Arguments passed to the command.

-c
    Run in the context of the current login session.

-t TYPE
    Run with the specified type.

-r ROLE
    Run with the specified role.

-u USER
    Run with the specified user.

-l RANGE
    Run with the specified MLS/MCS range.

The runcon command executes a specified command with a provided SELinux security context. This allows users and administrators to launch applications or scripts with different security policies than their current context, useful for testing or isolating processes.

SELinux (Security-Enhanced Linux) is a security architecture built into the Linux kernel that provides mandatory access control (MAC). runcon modifies the security context the command executes within. If no security context is given, it uses the default context associated with the user. This default behavior can be overridden.

The command's primary usage is for security administration and testing, enabling the execution of programs as if they were part of a different security domain. Incorrect usage can lead to unexpected behavior or security vulnerabilities, therefore careful consideration of the implications is vital before utilizing runcon.

runcon relies heavily on the proper configuration of SELinux. If SELinux is disabled or misconfigured, runcon may not behave as expected or could create security problems. Ensure SELinux is properly set up before using this command.
Privileges may still affect the executed command, even if the security context is modified.

Run the `ls -l` command with the context `system_u:system_r:unconfined_t:s0`:
runcon system_u:system_r:unconfined_t:s0 ls -l

Run command as user 'user_u':
runcon -u user_u ls -l

runcon returns the exit status of the command that it executed.

runcon was developed as part of the SELinux project to provide a way to execute commands under specific security contexts. It's been a standard tool for system administrators dealing with SELinux policies. The command has evolved alongside SELinux itself, with updates to handle more complex policy configurations and MLS/MCS features. Initially, it provided a simpler means than directly manipulating security contexts within C code, making testing and policy refinement more approachable.

chcon(1), setsebool(8), semanage(8)