|
Getting your Trinity Audio player ready...
|
In this post, we are going to discuss on SELinux chcon command in Redhat Linux with examples to Change Security Context. You might have experienced SELINUX related issues in linux. Even after disabling the SELinux server is left with the wrong contexts file.
Table of Contents
chcon Command in Linux
chcon command-line utility is available to fix the security context of files or folders.
chcon Command Meaning
As the name suggests chcon is a combination of two words Change and Context. Where ch stands for Change and con stands for Context.
chcon command in linux is used for changing the SELinux security context of a file or folder.
chcon Command MAN Page
You can have a look at chcon command man page below.
# man chcon chcon - change file SELinux security context Syntax chcon [OPTION]... CONTEXT FILE... chcon [OPTION]... [-u USER] [-r ROLE] [-l RANGE] [-t TYPE] FILE... chcon [OPTION]... --reference=RFILE FILE... DESCRIPTION Change the SELinux security context of each FILE to CONTEXT. With --reference, change the security context of each FILE to that of RFILE. Mandatory arguments to long options are mandatory for short options too. --dereference affect the referent of each symbolic link (this is the default), rather than the symbolic link itself -h, --no-dereference affect symbolic links instead of any referenced file. -u, --user=USER set user USER in the target security context -r, --role=ROLE set role ROLE in the target security context -t, --type=TYPE set type TYPE in the target security context -l, --range=RANGE set range RANGE in the target security context --no-preserve-root do not treat '/' specially (the default) --preserve-root fail to operate recursively on '/' --reference=RFILE RFILE's security context ratherthanspecifying a CONTEXT value -R, --recursive operate on files and directories recursively -v, --verbose output a diagnostic for every file processed The following options modify how a hierarchy is traversed when the -R option is also specified. If more than one is specified,only the final one takes effect. -H if a command line argument is a symbolic link to a directory, traverse it -L traverse every symbolic link to a directory encountered -P do not traverse any symbolic links (default) --help display this help and exit --version output version information and exit
How to change the security context in linux
There are many switches available with chcon. You can refer to the man page shared above. Will share a few common usages of the chcon command for reference with examples.
10 SELinux chcon command examples to Change Security Context
Let us see how we can use chcon command various options for changing the security context by 10 SELinux chcon command examples.
1.How to change full SELinux context 2.How to replicate context from one file to other 3.How to change user only in SELinux context 4.How to change ROLE in the SELinux context 5.How to change TYPE in SELinux context 6.How to change RANGE in the SELinux context 7.Using combined options for User, Role, Type, Range in chcon 8.How chcon behaves with links type files 9.Forcefully changing SELinux context of links type files 10.Change SELinux context Recursively
Let us review one by one.
How to change full SELinux context
Use uppercase Z option with ls command to view the security context of a file. See below example of how to see full SELinux Context.
# ls -lZ yum.conf.BKP -rwxr-xr-x. root root unconfined_u:object_r:etc_t:s0 yum.conf.BKP
You can see the full security context of the yum.conf.BKP file is as below.
unconfined_u:object_r: etc_t:s0
This is the wrong SELinux context for the yum.conf.BKP. So How to Change the Full SELinux Context of a file is as below.
# chcon system_u:object_r:etc_t:s0 yum.conf.BKP
So we have changed the security context of yum.conf.BKP file to correct one.
system_u:object_r:etc_t:s0
We can verify this by using the following ls -lZ command. After change validates it again and sees the difference.
# ls -lZ yum.conf.BKP -rwxr-xr-x. root root system_u:object_r:etc_t:s0 yum.conf.BKP
In case you have found some SELinux related issues people try to disable it first. Even after Disabling SELinux, you may have file context issues.
Most of the time SELinux context permissions remain associated with files even after SELinux is disabled.
I guess you might be well aware of How to enable SELinux or How to disable SELinux. But still, if you want to know you can use highlighted links.
How to Replicate Context from one file to other
In case of any confusion, this is the best option to change the context file using another file as a reference as you may not be well aware of what should be correct SELinux context needed for a file.
This is basically a replication of exiting file SELinux context from one file to another.
# ls -lZ -rw-r--r--. root root system_u:object_r:etc_t:s0 abc.conf -rw-r--r--. root root unconfined_u:object_r:etc_t:s0 xyz.conf
The syntax you can use is as below
# chcon –reference=abc.conf xyz.conf
Here what you have done is that you have given the same SELinux context to file xyz.conf as abc.conf. Both files will have identical SELinux contexts. You can validate after the change and it will look like below.
# ls -lZ -rw-r--r--. root root system_u:object_r:etc_t:s0 abc.conf -rw-r--r--. root root system_u:object_r:etc_t:s0 xyz.conf
How to Change User only in SELinux Context
Only user details can be also changed related to the security context of the file.
# ls -lZ yum.conf.BKP -rwxr-xr-x. root root unconfined_u:object_r:etc_t:s0 yum.conf.BKP
“unconfined_u” is the user part of the security context for file yum.conf.BKP.
You can change only the user part with the option as –u. Please refer to the below example
# chcon -u system_u yum.conf.BKP
Please review after the change it looks like below.
# ls -lZ yum.conf.BKP -rwxr-xr-x. root root system_u:object_r:etc_t:s0 yum.conf.BKP
Instead of -u you can use –user also and will have the same result as -u and (–) user is same.
# chcon --user system_u yum.conf.BKP
How to Change ROLE in SELinux Context
Like above you can use either –r or –role for changing ROLE in SELinux Context. The syntax for the same will be like below.
# chcon -r object_r yum.conf.BKP # chcon --role object_r yum.conf.BKP
Both will yield the same change and you can validate the change using the below command as above.
#ls -lZ yum.conf.BKP
How to Change the Only TYPE in SELinux Context
This is one of the important options and probably TYPE is the main concern most of the time in the SELinux setup.
You can use the –t or (–) type option and use the ls -lZ option as mentioned in all other cases to see before and after the change.
# ls -lZ <File Name> # ls -lZ yum.conf.BKP -rwxr-xr-x. root root unconfined_u:object_r:etc_t:s0 yum.conf.BKP # chcon –t etc_t yum.conf.BKP # chcon --type etc_t yum.conf.BKP
If you have observed from all the above examples permissions are in four groups. This will change only the 3rd group which is related to TYPE and options are also related.
How to Change RANGE in SELinux Context
We can use -l, –range=RANGE set range RANGE in the target security context for a file.
# ls -lZ <file name> Record Context Status # chcon -l s0 <file name> # chcon --range s0 <file name> # ls -lZ <file name> Validate Context Status
Using combined options for User, Role, Type, Range in chcon
Let us see how we can use all options in one shot combing all the switches like -u, -r, -t, and -l.
# ls -lZ <file name> Record Context Status # chcon -u system_u -r object_r -t httpd_config_t -l s0 <file name> # ls -lZ <file name> Validate Context Status
How chcon behaves with links type files
Let us review how the chcon command behaves by default with links type files.
# ls -lZ lrwxrwxrwx. unconfined_u:object_r:config_t:s0 abc.conf -> xyz.conf -rw-r--r--. unconfined_u:object_r: etc_t :s0 xyz.conf
Let us change USER and TYPE for the abc.conf.
# chcon -u system_u -t etc_t abc.conf
You will find it the change is happening on the source file instead of the link. This is the default behavior of chcon. This is known as de-referencing.
# ls -lZ lrwxrwxrwx. unconfined_u:object_r:config_t:s0 abc.conf -> xyz.conf -rw-r--r--. system_u:object_r:etc_t:s0 xyz.conf
Another option available with chcon command in linux named as –dereference which will make a change to file instead of the symbolic link for the file.
Both of the following will yield the same result.
# chcon -u system_u -t httpd_config_t <file name> # chcon --dereference -u system_u -t etc_t <file name>
Forcefully Changing SELinux Context of Link
As you have seen in previous steps what to do if you have to change SELinux Context for links.
# chcon --no-dereference -u system_u -t etc_t <file name>
If you specify –no-dereference option with chcon command in linux, it will change the context of the symbolic links only not the source file.
We can use ‘-h’ option which will be the replacement for –no-dereference and yield the same result.
# chcon -h -u system_u -t etc_t <file name> # chcon --no-dereference -u system_u -t etc_t <file name>
Change SELinux Context Recursively
As you know what does Recursive mean. If you want to change the security linux context of all the files under any folder it will also change in all subdirectories under it. So while doing recursive change you must be sure and need to be done carefully. You can use –R or –recursive for the same result.
# chcon -R system_u:object_r:etc_t:s0 <directory> # chcon --recursive system_u:object_r:etc_t:s0 conf.d
So we have seen enough examples for the chcon command in linux. I hope you will find it helpful and it will clear understanding about SELinux chcon command in Redhat Linux With Examples to change security context.
Please do not hesitate to share your feedback in the comments section with any add-on to a related topic which will help readers to understand the concepts in a better way.
If you find our content valuable request you to share with your network to have better visibility and allow it to reach the intended audience.
