runcon

Print the security context of the current execution context

$ runcon

$ runcon [[-t|--type]] [domain]_t [command]

$ runcon [[-r|--role]] [role]_r [command]

$ runcon [user]_u:[role]_r:[domain]_t [command]

runcon [OPTIONS] CONTEXT COMMAND [ARGS...]
runcon [OPTIONS] (-u USER | -r ROLE | -t TYPE | -l RANGE | -P) COMMAND [ARGS...]
runcon [OPTIONS] -c COMMAND [ARGS...]
runcon [OPTIONS] -- COMMAND [ARGS...]

CONTEXT
    The full SELinux context string (e.g., unconfined_u:unconfined_r:unconfined_t:s0) to apply to the COMMAND.

-u USER, --user=USER
    Set the SELinux user part of the new security context.

-r ROLE, --role=ROLE
    Set the SELinux role part of the new security context.

-t TYPE, --type=TYPE
    Set the SELinux type (domain) part of the new security context. This is often the most significant component for access control decisions.

-l RANGE, --range=RANGE
    Set the SELinux level (sensitivity and category) part of the new security context. Typically used in multi-level security (MLS) or multi-category security (MCS) environments.

-P
    Use the context derived from the policy for the specified user, role, type, and range (if specified). This option is useful for precise context derivation according to policy rules.

-c, --compute
    Compute the context from the executable's file context as defined by the SELinux policy, without explicitly specifying a full context string. This is useful for running a program in its default, intended domain.

--
    Indicates the end of runcon options, allowing subsequent arguments to be treated as part of the COMMAND to be executed, even if they start with a hyphen. When used alone (runcon -- COMMAND), it executes the COMMAND in its default domain transition as per policy.

COMMAND
    The executable command or program to run with the new security context.

ARGS...
    Any arguments to be passed to the COMMAND.

The runcon command allows a user to execute a program or command with a specified SELinux security context.

In SELinux, every process and file has an associated security context, which is a label that contains information about the SELinux user, role, type, and optionally a sensitivity/category range. These contexts are used by the SELinux policy to determine what operations are allowed or denied.

runcon is particularly useful for:
Testing: Experimenting with different contexts to see their effect on a program's behavior or access permissions.
Debugging: Identifying why a program is being denied access by SELinux by trying a more permissive context.
Privileged Operations: Running specific commands with a tightly controlled, elevated context without granting broader system permissions to the user.

By changing the context of the executed command, runcon enables administrators and developers to precisely control and test the SELinux policy's impact on applications and services. It acts as an interface to the underlying SELinux setexeccon() system call.

Using runcon requires SELinux to be enabled and enforcing on the system.

The user attempting to use runcon must have the necessary SELinux permissions to transition to the specified target context. Without appropriate policy rules, context transitions will be denied, resulting in an error.

Misuse of runcon, such as running commands with overly permissive contexts, can bypass SELinux protections and introduce security vulnerabilities. It should be used with a clear understanding of the SELinux policy.

When runcon executes a command, it performs a context transition. This means the new process will inherit the specified SELinux context, not the context of the calling process. The SELinux policy then dictates what resources (files, sockets, other processes) the new process can access based on its new context.

If no specific context or context parts are provided (e.g., using only runcon -- COMMAND), runcon will attempt to execute COMMAND in its default context as defined by the SELinux policy. This default context is typically determined by the file context of the executable and applicable domain transition rules.

runcon is an integral part of the SELinux userspace utilities, which were developed alongside the SELinux kernel modules to provide a comprehensive mandatory access control framework for Linux. It emerged as a crucial tool for administrators and developers to manage and debug SELinux policies.

Its development reflects the ongoing need for precise control over process contexts in highly secure environments. It leverages the setexeccon() system call, allowing for programmatic context changes, which has been a stable feature of the SELinux framework for many years.

chcon(1), getcon(1), sestatus(8), setenforce(8), semanage(8), execcon(3)