setcon

setcon [OPTION]... CONTEXT [COMMAND [ARG]...]
setcon -r

CONTEXT
    The new SELinux security context string (e.g., system_u:system_r:httpd_t:s0) to apply to the shell or command.

COMMAND [ARG]...
    An optional command and its arguments to execute with the specified CONTEXT. If omitted, the current shell's context is changed.

-r, --restore
    Restores the default security context for the current user, typically derived from user mapping policies configured in SELinux.

-h, --help
    Displays a help message and exits.

-V, --version
    Displays version information and exits.

setcon is a utility within the SELinux toolkit used to change the current security context of the user's shell or to execute a specified command with a different security context.

In SELinux, every process, file, and system resource is labeled with a security context, typically composed of user, role, type, and sensitivity/category (e.g., unconfined_u:unconfined_r:unconfined_t:s0). setcon allows administrators and policy developers to temporarily assume a different context, which is invaluable for testing SELinux policies, debugging access control issues, or performing actions that require specific SELinux domains.

When used without a command, it modifies the context of the current shell for subsequent operations. If a command is provided, setcon executes that command in the specified context, similar to runcon. It often requires root privileges or specific SELinux policy permissions to successfully change contexts to ensure system security.

Changing contexts with setcon typically requires root privileges or specific SELinux capabilities (e.g., CAP_SETFCAP or CAP_SETPCAP).
The target security context must be explicitly permitted by the active SELinux policy for the current user or process; otherwise, the command will fail with a permission denied error.
Using setcon on a shell alters the context for all subsequent commands within that shell until it's reset or the shell is exited.

When setcon is used without a COMMAND, it changes the security context of the *current shell session*. All subsequent commands executed within that shell will run under the new context. To revert to the previous context, one can use setcon -r or simply exit and reopen the shell.

The ability to change security contexts is strictly governed by the SELinux policy. A user cannot arbitrarily change to any context; the policy must contain rules allowing the transition from the current context to the target context. This is a core security feature of SELinux to prevent privilege escalation.

setcon is an integral part of the policycoreutils package, which provides essential utilities for managing SELinux. SELinux itself was initially developed by the National Security Agency (NSA) and later integrated into the Linux kernel mainline in 2000. Tools like setcon have been fundamental to interacting with SELinux's mandatory access control system, allowing precise control and testing of security contexts since the early adoption and development of SELinux.

runcon(1), chcon(1), getcon(1), semanage(8), setsebool(8), restorecon(8), selinux(8)