setcon

setcon [-n] [-f|-c|-p] [CONTEXT | -t TYPE | -r ROLE | -u USER] [FILE|PID]

-n
    Do not perform any validity checking on the context.

-f
    Set the context of a file.

-c
    Set the context of a running process by its PID.

-p
    Set the context of a persistent process (if supported).

CONTEXT
    The full security context string to assign. example: system_u:object_r:httpd_sys_content_t:s0

-t TYPE
    Set the type component of the security context.

-r ROLE
    Set the role component of the security context.

-u USER
    Set the user component of the security context.

FILE
    The file whose context is to be changed. Use with -f option.

PID
    The process ID of the running process whose context is to be changed. Use with -c option.

The setcon command allows you to change the Security Enhanced Linux (SELinux) security context of a file or a running process.

This is a powerful tool that should be used with caution, as incorrect usage can compromise system security. It's primarily used for testing, debugging, and in situations where a specific security context is absolutely necessary, particularly within customized SELinux policies. The new context can be specified as a complete security context string, or by using a "-t" to set the type component, "-r" the role, or "-u" the user. It's crucial to have a thorough understanding of SELinux policies and their implications before using setcon.

When modifying the context of a running process, consider that it only persists for that execution of the process. Once the process terminates and restarts it will inherit the context assigned by the systems init process.

Incorrectly setting security contexts can lead to application malfunctions or security vulnerabilities.

Modifying the context of a process only affects the running instance and is lost upon restart.

setcon system_u:object_r:httpd_sys_content_t:s0 /var/www/html/index.html
Sets the context of the file /var/www/html/index.html to system_u:object_r:httpd_sys_content_t:s0.
setcon -t httpd_sys_content_t /var/www/html/index.html
Sets just the type part of the context of the file /var/www/html/index.html to httpd_sys_content_t.
setcon -c system_u:system_r:init_t:s0 1234
Sets context of process id 1234 to system_u:system_r:init_t:s0.

Using setcon bypasses the standard SELinux policy enforcement mechanisms. If used improperly, it can grant excessive permissions or restrict necessary access, leading to both security breaches and system instability.

It is not advisable to use this command except in specific SELinux policy development or debugging situations. It is highly advisable to rely on tools like chcon and restorecon in production environments.

setcon is a core part of the SELinux user space tools, developed alongside SELinux itself to provide the ability to manipulate security contexts. Its primary purpose is to enable fine-grained access control based on security policies. It has evolved alongside SELinux and has been included in all major distributions supporting SELinux.

chcon(1), restorecon(8), semanage(8), selinux(8)