Intro To 'chcon' Command In Linux

2024-05-24 - By Robert Elder

I use the 'chcon' command to change the security context of a file:

ls -lZ foo.txt

-rw-r--r--. 1 robert robert unconfined_u:object_r:user_home_t:s0 13 Apr 15 17:16 foo.txt

chcon unconfined_u:unconfined_r:user_tmp_t:s0 foo.txt

ls -lZ foo.txt

-rw-r--r--. 1 robert robert unconfined_u:unconfined_r:user_tmp_t:s0 13 Apr 15 17:16 foo.txt

Example Use Case Involving Web Server File Permissions

Here, I have an html document that's part of my web site:

cd /var/www/html
ls -lZ

total 4
-rw-r--r--. 1 root root unconfined_u:object_r:httpd_sys_content_t:s0 47 Apr 15 15:54 index.html

cat index.html

<html>
Hello!  Welcome to my web page.
</html>

When I use the curl command to request this document through my web server, the document is served successfully:

curl http://127.0.0.1/index.html

<html>
Hello!  Welcome to my web page.
</html>

However, if I create a new html document in the 'tmp' directory:

echo -e "<html>\nThis is my favourite web page.\n</html>" > /tmp/favourite.html

ls -lZ /tmp/favourite.html

-rw-r--r--. 1 robert robert unconfined_u:object_r:user_tmp_t:s0 46 Apr 15 17:18 /tmp/favourite.html

and then move this document into my web server's 'html' folder:

sudo mv /tmp/favourite.html favourite.html

ls -lZ

total 8
-rw-r--r--. 1 robert robert unconfined_u:object_r:user_tmp_t:s0          46 Apr 15 17:18 favourite.html
-rw-r--r--. 1 root   root   unconfined_u:object_r:httpd_sys_content_t:s0 47 Apr 15 15:54 index.html

my web server will show a permission error when requesting this new document:

cat favourite.html

<html>
This is my favourite web page.
</html>

curl http://127.0.0.1/favourite.html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
</body></html>

Fixing Permission Issues By Changing Security Context

In the scenario we described above, the permission issue is caused by the new file's security context:

ls -lZ

total 8
-rw-r--r--. 1 robert robert unconfined_u:object_r:user_tmp_t:s0          46 Apr 15 17:18 favourite.html
-rw-r--r--. 1 root   root   unconfined_u:object_r:httpd_sys_content_t:s0 47 Apr 15 15:54 index.html

I can use the 'chcon' command to directly change the file's security context:

chcon unconfined_u:object_r:httpd_sys_content_t:s0 favourite.html

ls -lZ

total 8
-rw-r--r--. 1 robert robert unconfined_u:object_r:httpd_sys_content_t:s0 46 Apr 15 17:18 favourite.html
-rw-r--r--. 1 root   root   unconfined_u:object_r:httpd_sys_content_t:s0 47 Apr 15 15:54 index.html

Now, the web server can serve my new web page successfully:

curl http://127.0.0.1/favourite.html

<html>
This is my favourite web page.
</html>

Default Security Contexts

Security context changes that are made using the 'chcon' command may be overwritten later by other commands like the 'restorecon' command, which restores default security contexts based on pre-defined rules:

ls -lZ

total 8
-rw-r--r--. 1 robert robert unconfined_u:object_r:httpd_sys_content_t:s0 46 Apr 15 17:18 favourite.html
-rw-r--r--. 1 root   root   unconfined_u:object_r:httpd_sys_content_t:s0 47 Apr 15 15:54 index.html

sudo chcon unconfined_u:object_r:user_tmp_t:s0 index.html

ls -lZ

total 8
-rw-r--r--. 1 robert robert unconfined_u:object_r:httpd_sys_content_t:s0 46 Apr 15 17:18 favourite.html
-rw-r--r--. 1 root   root   unconfined_u:object_r:user_tmp_t:s0          47 Apr 15 15:54 index.html

sudo restorecon -vR /var/www/html

Relabeled /var/www/html/index.html from unconfined_u:object_r:user_tmp_t:s0 to unconfined_u:object_r:httpd_sys_content_t:s0

ls -lZ

total 8
-rw-r--r--. 1 robert robert unconfined_u:object_r:httpd_sys_content_t:s0 46 Apr 15 17:18 favourite.html
-rw-r--r--. 1 root   root   unconfined_u:object_r:httpd_sys_content_t:s0 47 Apr 15 15:54 index.html

You can use the 'semanage' command to view a list of the rules that describe the default security context(s) associated with different paths in the filesystem:

sudo semanage fcontext -l | grep '/var/www/html'

/var/www/html(/.*)?/sites/default/files(/.*)?      all files          system_u:object_r:httpd_sys_rw_content_t:s0
/var/www/html(/.*)?/sites/default/settings\.php    regular file       system_u:object_r:httpd_sys_rw_content_t:s0
/var/www/html(/.*)?/uploads(/.*)?                  all files          system_u:object_r:httpd_sys_rw_content_t:s0
/var/www/html(/.*)?/wp-content(/.*)?               all files          system_u:object_r:httpd_sys_rw_content_t:s0
/var/www/html(/.*)?/wp_backups(/.*)?               all files          system_u:object_r:httpd_sys_rw_content_t:s0
/var/www/html/[^/]*/cgi-bin(/.*)?                  all files          system_u:object_r:httpd_sys_script_exec_t:s0
/var/www/html/cgi/munin.*                          all files          system_u:object_r:munin_script_exec_t:s0
/var/www/html/configuration\.php                   all files          system_u:object_r:httpd_sys_rw_content_t:s0
/var/www/html/munin(/.*)?                          all files          system_u:object_r:munin_content_t:s0
/var/www/html/munin/cgi(/.*)?                      all files          system_u:object_r:munin_script_exec_t:s0
/var/www/html/nextcloud/data(/.*)?                 all files          system_u:object_r:httpd_sys_rw_content_t:s0
/var/www/html/owncloud/data(/.*)?                  all files          system_u:object_r:httpd_sys_rw_content_t:s0

The 'chcon' Command Requires SELinux

The 'chcon' command is only useful on systems that have SELinux installed. If you try to run 'chcon' on a system that doesn't have SELinux installed, you'll see something like this:

lsb_release -a

No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 20.04.2 LTS
Release:	20.04
Codename:	focal

sudo chcon unconfined_u:object_r:user_tmp_t:s0 index.html

chcon: invalid context: ‘unconfined_u:object_r:user_tmp_t:s0’: No such file or directory

And that's why the 'chcon' command is my favourite Linux command.

Intro To 'stty' Command In Linux Published 2023-10-04	$1.00 CAD Terminal Block Mining Simulation Game	Intro To 'nproc' Command In Linux Published 2023-07-15	Intro To 'comm' Command In Linux Published 2023-09-06
How To Force The 'true' Command To Return 'false' Published 2023-07-09	A Surprisingly Common Mistake Involving Wildcards & The Find Command Published 2020-01-21	A Guide to Recording 660FPS Video On A $6 Raspberry Pi Camera Published 2019-08-01	Intro To 'chroot' Command In Linux Published 2023-06-23

Why Bother Subscribing?

Free Software/Engineering Content. I publish all of my educational content publicly for free so everybody can make use of it. Why bother signing up for a paid 'course', when you can just sign up for this email list?
Read about cool new products that I'm building. How do I make money? Glad you asked! You'll get some emails with examples of things that I sell. You might even get some business ideas of your own :)
People actually like this email list. I know that sounds crazy, because who actually subscribes to email lists these days, right? Well, some do, and if you end up not liking it, I give you permission to unsubscribe and mark it as spam.