chcon command for change the security context of a file or directory
chcon (short for change context or change security context) – This command allows you to change the SELinux security context of a file or directory. We can specify the new context, as we saw in the cp example, or we can specify any of the user portion through -u user, the role portion through -r role, the type through -t type, or the security portion through -l security.
Syntax -
chcon [OPTION]... CONTEXT FILE...
chcon [OPTION]...[-u USER] [-r ROLE] [-l RANGE] [-t TYPE] FILE...
chcon [OPTION]... --reference=RFILE FILE...
Brief description of options available with the 'chcon' command.
|
Option
|
Description
|
|
--dereference
|
Create a backup of every destination file
|
|
-h
|
Force copy by removing the destination file if needed
|
|
-u
|
Interactive – ask before overwrite
|
|
-r
|
Create hard/symbolic link rather than physical copy
|
|
-r
|
Follow symbolic links
|
|
-t
|
No file overwrites
|
|
-l
|
Recursive copy (including hidden files)
|
|
--no-preserve-root
|
Update – copy only if source newer than destination or destination missing
|
|
--preserve-root
|
Verbose (output each step as it happens)
|
|
--reference
|
Use RFILE’s security context rather than specifying a CONTEXT value
|
|
-R
|
Operate on files and directories recursively
|
|
-v, --verbose
|
Output a diagnostic for every file processed
|
|
-H
|
If a command-line argument is a symbolic link to a directory, traverse it
|
|
-L
|
traverse every symbolic link to a directory encountered
|
|
-p
|
Do not traverse any symbolic links (default)
|
|
--help
|
Display this help and exit
|
|
--version
|
Output version information and exit
|
Example :
View security context of a file
To display the security context of a file use ls command with -Z option. Use the following syntax:
ls -Z path_to/file
Change the security context using a reference file
To use another file's security context to the file use chcon with --reference option. Use the following syntax:
chcon --reference=reference_file target_file
Specify the full SELinux security context of a file
You can exactly specify the security reference by using the following syntax.
chcon user:role:type:range/level filename
Change only the user part of SELinux security context
To only specify the user part of the security context with -u flag by using the following syntax.
chcon -u user file
Change only the role part of SELinux security context
To only specify the role part of the security context with -r flag by using the following syntax.
chcon -r role file
Change only the type part of SELinux security context:
To only specify the type part of the security context with -t flag by using the following syntax.
chcon -t type file
Change only the range/level part of SELinux security context
To only specify the range/level part of the security context with -l flag by using the following syntax.
chcon -l range/level file
Recursively change SELinux security context
Use -R option to change the security context of all files in the directory recursively using the following syntax.
chcon -R system_u:object_r:httpd_config_t:s0 directory_name
Conclusion
In this tutorial, we have used the chcon command line utility to change the security context of all files. We discussed different ways like, changing individual parts of the security context, using other files as reference and traversing symbolic links.
