Linux

15 SELinux chcon Command Examples to Change Security Context

[ad_1]

In SELinux, one of the frequent task that you may do is to change the security context of an object. For this, you’ll use chcon command.

chcon stands for Change Context.

This command is used to change the SELinux security context of a file.

This tutorial explains the following chcon command examples:

  1. Change the Full SELinux Context
  2. Change Context Using Another File as a Reference
  3. Change Only the User in SELinux Context
  4. Change Only the Role in SELinux Context
  5. Change Only the Type in SELinux Context
  6. Change Only the Range (Level) in SELinux Context
  7. Combine User, Role, Type, Level in chcon
  8. Default Behavior of Chcon on Symbolic Link
  9. Force Change SELinux Context of Symbolic Link
  10. Change SELinux Context Recursively
  11. Display Verbose Details of chcon Operation
  12. Chcon Default Behavior on Symbolic links for Recursive
  13. Force chcon to Traverse Specified Symbolic links for Recursive
  14. Force chcon to Traverse ALL Symbolic links for Recursive
  15. Chcon Behavior on / root directory for Systemwide Change

1. Change the Full SELinux Context

To view security context of a file, use -Z (uppercase Z) option in the ls command as shown below.

In the above example, the security context of the httpd.conf file is the following:



That is a wrong SELinux context for the httpd.conf file that is under /etc/httpd/conf directory.

So, to change the security context, use the following chcon command.

In the above example, we have changed the security context of httpd.conf file to the following, which is the correct one.

We can verify this by using the following ls -lZ command.

Note: In the above example, we are giving the full SELinux context of a file (i.e user, role, type and range) in the format of user:role:type:range without breaking it any further.

Anytime you are faced with some SELinux related issues, you may be tempted to just Disable SELinux as we explained earlier. But, in many situations, you may find-out that it is just that the file in question is having a wrong security context, which can be changed using chcon command.

2. Change Context Using Another File as a Reference

Sometimes you might not know what SELinux context you should be setting for a file.

In that case, you can use the security context of another file as a reference, and use that to assign it to your file.

Basically, instead of specifying the full SELinux context for the file, you are just using another file’s context for your file.

In the following example, we see that both ssl.conf and httpd.conf has different SELinux context.

In this case, we know that the ssl.conf file has the correct security context. But, the httpd.conf has incorrect one.

So, we’ll change the security context of httpd.conf file, but we’ll use the context of ssl.conf as a reference for this change as shown below.

After the above change, you can see that the httpd.conf file has the same security context as the ssl.conf file.

On a related note, to view the current status of SELinux use sestatus command. It is important that you understand the output of sestatus command as explained here: 3 SELinux sestatus Command Output Explained with Examples

3. Change Only the USER in SELinux Context

Instead of changing the whole SELinux security context, we can also change only partial value of it.

The following is the current security context of the httpd.conf file.

In the above example, “unconfined_u” is the USER part of the security context.

Using chcon -u option, we can change only the user part of the security context.

In the following example, we are setting the user part of the security context to system_u for the httpd.conf file.

As you see from the following output, only the USER part of the security context is changed for the httpd.conf file.

You can also use –user instead of -u. Both of the following commands are exactly the same.

4. Change Only the ROLE in SELinux Context

Using chcon -r option, we can change only the ROLE part of the security context.

In the following example, we are setting the role part of the security context to object_r for the httpd.conf file.

As you see from the following output, only the ROLE part of the security context is changed for the httpd.conf file.

When you give a role that is not recognized by SELinux, you’ll get the following invalid argument error. In this example, there is no such role as “identity_r”.

You can also use –role instead of -r. Both of the following commands are exactly the same.

5. Change Only the TYPE in SELinux Context

This is probably what you’ll use mostly, as TYPE is what we are concerned with most of the time in a typical SELinux setup.

The following is the current security context of the httpd.conf file.

In the above example, “admin_home_t” is the TYPE part of the security context.

Using chcon -t option, we can change only the type part of the security context.

In the following example, we are setting the type part of the security context to httpd_config_t for the httpd.conf file.

As you see from the following output, only the TYPE part of the security context is changed for the httpd.conf file.

You can also use –type instead of -t. Both of the following commands are exactly the same.

6. Change Only the RANGE (Level) in SELinux Context

Using chcon -l option, we can change only the RANGE part (which is also called as level) of the security context. Range is used only in MLS and in a typical situation, we might not change the range.

In the following example, we are setting the range part of the security context to “s0” for the httpd.conf file.

As you see from the following output, only the ROLE part of the security context is changed for the httpd.conf file.

You can also use –range instead of -l. Both of the following commands are exactly the same.

7. Combine User, Role, Type, Level in chcon

You can combine the user (-u), role (-r), type (-t), or level (-l) option in chcon.

For example, the following will change all four of them as shown below.

Or, you can mix and match and change only few of them at a time. For example, in the following example, we are changing only the USER and TYPE of the httpd.conf file.

8. Default Behavior of Chcon on Symbolic Link

In the following example, apache.conf is a symbolic link to the httpd.conf file. Both of them has the wrong security context.

In the following example, I’m changing the USER and TYPE for the apache.conf symbolic link.

BUT, as you see here, this has really changed the SELinux context for the file it is pointing to instead of changing it for the symbolic link.

This is the default behavior of chcon command. i.e It will change the context of the file it is pointing to instead of the symbolic link itself.

This behavior is called as de-referencing. Chcon has an option called –dereference which will change the file instead of the symbolic link.

Both of the following example as exactly the same.

9. Force Change SELinux Context of Symbolic Link

Instead of changing security context of the file that is referenced by a symbolic link, you can also force chcon to change the context of the symbolic link itself.

In the following example, apache.conf is a symbolic link to the httpd.conf file. Both of them has the wrong security context.

When we specify –no-dereference option in chcon, it will change the context of the symbolic link and not the file it is pointing to.

So, the following example will change the USER and TYPE for apache.conf symbolic link (and not the httpd.conf file).

As you see from the following, only the SELinux context of apache.conf symbolic link is changed to the one we specified above.

Instead of –no-dereference, we can also specify ‘-h’ option as shown below.

Both of the following command are exactly the same.

10. Change SELinux Context Recursively

In this example, the following the current security linux context of all the files under conf.d

Using the chcon -R recursive option, we can change recursively all the files in the conf.d to the give security context as shown below.

As you see below, the context is recursively changed for all the files in the conf.d

Note: If there are other sub-directories inside conf.d, all of those sub-directories and the files underneath them will also be affected by the -R option.

You can also use –recursive option. Both of the following command are exactly the same.

11. Display Verbose Details of chcon Operation

Using -v option, you can display the details of what chcon is doing.

-v stands for verbose, which will display the name of the file that is currently getting processed by the chcon command as shown below.

This is very helpful when you are combining with -R recursive option, where you may be changing the context of lot of file, and you like to see what chcon is currently doing as shown below.

12. Chcon Default Behavior on Symbolic links for Recursive

In this example, “config” is a symbolic link to conf.d directory as shown below.

By default when you do a recursive operation on a symbolic link, it will not traverse the directory structure.

You can see this by combining -v option with -R, which doesn’t show any file names in the output. This indicates that it is not traversing through the “config” symbolic link.

This default behavior is also referenced by the -P (uppercase P) option.

So, both of the following command are exactly the same. Both will not traverse symbolic links.

13. Force chcon to Traverse Specified Symbolic links for Recursive

In this example, “config” is a symbolic link to conf.d directory as shown below.

When you specify a symbolic in the chcon command, you can force chcon to traverse it using the -H option as shown below.

As you see from the following output, chcon is traversing through the config symbolic link and processing all the files when we specified “-H” option along with “-R” option.

14. Force chcon to Traverse ALL Symbolic links for Recursive

In this example, “config” is a symbolic link to conf.d directory as shown below.

In the following example, inside the config directory, we have “ndd” directory, which is a symbolic link.

If you want chcon command to traverse all the symbolic link it encounters during the recursive operation, you should specify -L option.

The following option has combined -L option with -R option. This will traverse every symbolic link it encounters. For example, as you see below, this has traversed the “ndd” symbolic link and processed all the files accordingly.

Note: When you are specifying -P, or -H, or -L option (along with -R), if for some reason, you’ve combined them, then whatever is specified as the last option will take into effect.

15. Chcon Behavior on / root directory for System wide Change

By default, you can use chcon to recursively change SELinux context on all the files under your root filesystem as shown below.

This is called don’t preserve the root option (i.e –no-preserve-root is the default behavior)

WARNING: Don’t execute this command on your system. You’ll end-up having an unusable system. Both of the following command will behave exactly the same.

But, it is not recommended, unless you know what you doing, as you don’t want the SELinux context for all the files on your system to be same. If you made a mistake and set a wrong context to a file, you may want to understand how to use restorecon command to restore the SELinux context

When you specify –no-preserve-root option, it will not traverse through the root, when you specify it as a command line option as shown below.

Since the default behavior is dangerous, to avoid any accidental mistakes, anytime you are doing -R recursive option on a huge directory (especially from inside a shell script), I recommend that you use –preserve-root. This way by mistake if you give / at the end of the chcon command, it will not accidentally change all the files in your system.

If you enjoyed this article, you might also like..



[ad_2]

Facebook Comments

Show More

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button