Robert Elder Software Inc.
  • Home
  • Store
  • Blog
  • Contact
  • Home
  • Store
  • Blog
  • Contact
  • #linux
  • |
  • #commandline
  • |
  • #softwareengineering
  • |
  • #embeddedsystems
  • |
  • #compilers
  • ...
  • View All >>

Intro To 'chcon' Command In Linux

2024-05-24 - By Robert Elder

     I use the 'chcon' command to change the security context of a file:

ls -lZ foo.txt
-rw-r--r--. 1 robert robert unconfined_u:object_r:user_home_t:s0 13 Apr 15 17:16 foo.txt
chcon unconfined_u:unconfined_r:user_tmp_t:s0 foo.txt
ls -lZ foo.txt
-rw-r--r--. 1 robert robert unconfined_u:unconfined_r:user_tmp_t:s0 13 Apr 15 17:16 foo.txt

Example Use Case Involving Web Server File Permissions

     Here, I have an html document that's part of my web site:

cd /var/www/html
ls -lZ
total 4
-rw-r--r--. 1 root root unconfined_u:object_r:httpd_sys_content_t:s0 47 Apr 15 15:54 index.html
cat index.html
<html>
Hello!  Welcome to my web page.
</html>

     When I use the curl command to request this document through my web server, the document is served successfully:

curl http://127.0.0.1/index.html
<html>
Hello!  Welcome to my web page.
</html>

     However, if I create a new html document in the 'tmp' directory:

echo -e "<html>\nThis is my favourite web page.\n</html>" > /tmp/favourite.html
ls -lZ /tmp/favourite.html
-rw-r--r--. 1 robert robert unconfined_u:object_r:user_tmp_t:s0 46 Apr 15 17:18 /tmp/favourite.html

     and then move this document into my web server's 'html' folder:

sudo mv /tmp/favourite.html favourite.html
ls -lZ
total 8
-rw-r--r--. 1 robert robert unconfined_u:object_r:user_tmp_t:s0          46 Apr 15 17:18 favourite.html
-rw-r--r--. 1 root   root   unconfined_u:object_r:httpd_sys_content_t:s0 47 Apr 15 15:54 index.html

     my web server will show a permission error when requesting this new document:

cat favourite.html
<html>
This is my favourite web page.
</html>
curl http://127.0.0.1/favourite.html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
</body></html>

Fixing Permission Issues By Changing Security Context

     In the scenario we described above, the permission issue is caused by the new file's security context:

ls -lZ
total 8
-rw-r--r--. 1 robert robert unconfined_u:object_r:user_tmp_t:s0          46 Apr 15 17:18 favourite.html
-rw-r--r--. 1 root   root   unconfined_u:object_r:httpd_sys_content_t:s0 47 Apr 15 15:54 index.html

     I can use the 'chcon' command to directly change the file's security context:

chcon unconfined_u:object_r:httpd_sys_content_t:s0 favourite.html
ls -lZ
total 8
-rw-r--r--. 1 robert robert unconfined_u:object_r:httpd_sys_content_t:s0 46 Apr 15 17:18 favourite.html
-rw-r--r--. 1 root   root   unconfined_u:object_r:httpd_sys_content_t:s0 47 Apr 15 15:54 index.html

     Now, the web server can serve my new web page successfully:

curl http://127.0.0.1/favourite.html
<html>
This is my favourite web page.
</html>

Default Security Contexts

     Security context changes that are made using the 'chcon' command may be overwritten later by other commands like the 'restorecon' command, which restores default security contexts based on pre-defined rules:

ls -lZ
total 8
-rw-r--r--. 1 robert robert unconfined_u:object_r:httpd_sys_content_t:s0 46 Apr 15 17:18 favourite.html
-rw-r--r--. 1 root   root   unconfined_u:object_r:httpd_sys_content_t:s0 47 Apr 15 15:54 index.html
sudo chcon unconfined_u:object_r:user_tmp_t:s0 index.html
ls -lZ
total 8
-rw-r--r--. 1 robert robert unconfined_u:object_r:httpd_sys_content_t:s0 46 Apr 15 17:18 favourite.html
-rw-r--r--. 1 root   root   unconfined_u:object_r:user_tmp_t:s0          47 Apr 15 15:54 index.html
sudo restorecon -vR /var/www/html
Relabeled /var/www/html/index.html from unconfined_u:object_r:user_tmp_t:s0 to unconfined_u:object_r:httpd_sys_content_t:s0
ls -lZ
total 8
-rw-r--r--. 1 robert robert unconfined_u:object_r:httpd_sys_content_t:s0 46 Apr 15 17:18 favourite.html
-rw-r--r--. 1 root   root   unconfined_u:object_r:httpd_sys_content_t:s0 47 Apr 15 15:54 index.html

     You can use the 'semanage' command to view a list of the rules that describe the default security context(s) associated with different paths in the filesystem:

sudo semanage fcontext -l | grep '/var/www/html'
/var/www/html(/.*)?/sites/default/files(/.*)?      all files          system_u:object_r:httpd_sys_rw_content_t:s0
/var/www/html(/.*)?/sites/default/settings\.php    regular file       system_u:object_r:httpd_sys_rw_content_t:s0
/var/www/html(/.*)?/uploads(/.*)?                  all files          system_u:object_r:httpd_sys_rw_content_t:s0
/var/www/html(/.*)?/wp-content(/.*)?               all files          system_u:object_r:httpd_sys_rw_content_t:s0
/var/www/html(/.*)?/wp_backups(/.*)?               all files          system_u:object_r:httpd_sys_rw_content_t:s0
/var/www/html/[^/]*/cgi-bin(/.*)?                  all files          system_u:object_r:httpd_sys_script_exec_t:s0
/var/www/html/cgi/munin.*                          all files          system_u:object_r:munin_script_exec_t:s0
/var/www/html/configuration\.php                   all files          system_u:object_r:httpd_sys_rw_content_t:s0
/var/www/html/munin(/.*)?                          all files          system_u:object_r:munin_content_t:s0
/var/www/html/munin/cgi(/.*)?                      all files          system_u:object_r:munin_script_exec_t:s0
/var/www/html/nextcloud/data(/.*)?                 all files          system_u:object_r:httpd_sys_rw_content_t:s0
/var/www/html/owncloud/data(/.*)?                  all files          system_u:object_r:httpd_sys_rw_content_t:s0

The 'chcon' Command Requires SELinux

     The 'chcon' command is only useful on systems that have SELinux installed.  If you try to run 'chcon' on a system that doesn't have SELinux installed, you'll see something like this:

lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 20.04.2 LTS
Release:	20.04
Codename:	focal
sudo chcon unconfined_u:object_r:user_tmp_t:s0 index.html
chcon: invalid context: ‘unconfined_u:object_r:user_tmp_t:s0’: No such file or directory

     And that's why the 'chcon' command is my favourite Linux command.

Intro To 'stty' Command In Linux
Intro To 'stty' Command In Linux
Published 2023-10-04
Terminal Block Mining Simulation Game
$1.00 CAD
Terminal Block Mining Simulation Game
Intro To 'nproc' Command In Linux
Intro To 'nproc' Command In Linux
Published 2023-07-15
Intro To 'comm' Command In Linux
Intro To 'comm' Command In Linux
Published 2023-09-06
How To Force The 'true' Command To Return 'false'
How To Force The 'true' Command To Return 'false'
Published 2023-07-09
A Surprisingly Common Mistake Involving Wildcards & The Find Command
A Surprisingly Common Mistake Involving Wildcards & The Find Command
Published 2020-01-21
A Guide to Recording 660FPS Video On A $6 Raspberry Pi Camera
A Guide to Recording 660FPS Video On A $6 Raspberry Pi Camera
Published 2019-08-01
Intro To 'chroot' Command In Linux
Intro To 'chroot' Command In Linux
Published 2023-06-23
Join My Mailing List
Privacy Policy
Why Bother Subscribing?
  • Free Software/Engineering Content. I publish all of my educational content publicly for free so everybody can make use of it.  Why bother signing up for a paid 'course', when you can just sign up for this email list?
  • Read about cool new products that I'm building. How do I make money? Glad you asked!  You'll get some emails with examples of things that I sell.  You might even get some business ideas of your own :)
  • People actually like this email list. I know that sounds crazy, because who actually subscribes to email lists these days, right?  Well, some do, and if you end up not liking it, I give you permission to unsubscribe and mark it as spam.
© 2025 Robert Elder Software Inc.
SocialSocialSocialSocialSocialSocialSocial
Privacy Policy      Store Policies      Terms of Use