https://drive.google.com/file/d/1sIFkdzq0hE0mwb7vBF2i4hOJsyQKvgNh/view?usp=sharing

1. Understanding SELinux Contexts (Labels)

Context Components

Every file/process has a 4-part context (user:role:type:level):

ls -Z file.txt
# Output: unconfined_u:object_r:user_home_t:s0
#         │           │         │           └── Security Level
#         │           │         └────────────── Type (most important!)
#         │           └──────────────────────── Role
#         └──────────────────────────────────── SELinux User

How Contexts Are Assigned

• New files inherit context from parent directory
• System files get contexts from policy rules (/etc/selinux/targeted/contexts/files/)
• User files get default contexts based on location (/home → user_home_t, /tmp → user_tmp_t)

2. Temporary Context Changes with chcon

Basic Usage

# Create test file
touch file.txt
ls -Z file.txt  # unconfined_u:object_r:user_home_t:s0

# Change type temporarily
chcon -t httpd_sys_content_t file.txt
ls -Z file.txt  # unconfined_u:object_r:httpd_sys_content_t:s0

# Restore original context
restorecon -v file.txt
ls -Z file.txt  # Back to user_home_t

Recursive Changes

# Create directory structure
mkdir -p /tmp/testdir
cal > /tmp/testdir/cal.txt

# Change context recursively
chcon -R -t httpd_sys_content_t /tmp/testdir/
ls -Z /tmp/testdir/cal.txt  # Now httpd_sys_content_t

⚠️ Critical Limitation:

chcon changes are temporary—lost on:

• Reboot
• restorecon
• Filesystem relabel (/.autorelabel)

3. Permanent Context Changes with semanage fcontext

Add Permanent Policy Rule