SELinux Game Learn SELinux By Doing

Permanently Set a File Context

The chcon program can change the context of a file; however, changes made with chcon are not preserved if the file is relabeled with restorecon, or if the entire file system is relabeled using touch /.autorelabel and then rebooted. The semanage program can make persistent customizations to the SELinux policy configuration.

To run semanage, you must be the Linux root user and in a role allowed to run semanage, such as sysadm_r or unconfined_r. The following example uses semanage to set the myfile_t type for the “/path/to/myfile” file:

# semanage fcontext -a -t myfile_t /path/to/myfile

This semanage command adds an entry in the system file contexts. This entry will be persistent, even after the distribution policy is updated. If you change policies, for example, from targeted to MLS, you must re-run the above command to add the entry to the new policy. Run the restorecon command to apply the changes added via semanage fcontext:

# restorecon /path/to/myfile
# ls -Z /path/to/myfile
system_u:object_r:myfile_t /path/to/myfile

Tools

Try it!

Explore these commands using the tutorial vagrant box. Start the environment using
vagrant up tutorial
vagrant ssh tutorial
If you don't have the command, visit the getting started guide

More Tutorials

After this one, the following tutorials are recommended:

Portions of this page's content are copied from this page for non-commercial, education purposes.