🎁 New User? Get 20% off your first purchase with code NEWUSER20 Register Now →
Menu

Categories

Home » Learn » Linux Commands » chcon

chcon Command

Advanced Firewall & Security man(1)

Change SELinux security context of files

📅 Updated: Mar 16, 2026
SYNTAX
chcon [OPTIONS] CONTEXT FILE...

What Does chcon Do?

The chcon command changes the SELinux security context of files and directories. SELinux (Security-Enhanced Linux) is a mandatory access control (MAC) system that adds an additional layer of security beyond traditional Unix permissions. It is enabled by default on RHEL, Fedora, CentOS, AlmaLinux, and Rocky Linux.

Every file, process, and resource in an SELinux-enabled system has a security context consisting of four fields: user:role:type:level (e.g., system_u:object_r:httpd_sys_content_t:s0). The type field is the most important — SELinux policies define which process types can access which file types.

chcon is used to temporarily change file contexts — for example, when a web server cannot access files because they have the wrong SELinux type. However, changes made by chcon are lost when the filesystem is relabeled (restorecon). For permanent changes, use semanage fcontext. chcon is ideal for testing and troubleshooting SELinux issues before making permanent policy changes.

Options & Flags

OptionDescriptionExample
-t TYPE Change the SELinux type of a file sudo chcon -t httpd_sys_content_t /var/www/html/index.html
-R Change context recursively sudo chcon -Rt httpd_sys_content_t /var/www/html/
-u USER Change the SELinux user sudo chcon -u system_u file.txt
-r ROLE Change the SELinux role sudo chcon -r object_r file.txt
-l LEVEL Change the MLS/MCS security level sudo chcon -l s0 file.txt
--reference=FILE Set context to match another file sudo chcon --reference=/var/www/html/index.html newfile.html
-v Verbose - show each change sudo chcon -Rvt httpd_sys_content_t /var/www/

Practical Examples

#1 Fix web server file access

Set proper SELinux type for web content. Fixes "403 Forbidden" when Apache/Nginx cannot read files.
$ sudo chcon -Rt httpd_sys_content_t /var/www/html/

#2 Allow web server to write

Allow web server to write to an uploads directory. httpd_sys_rw_content_t permits read-write.
$ sudo chcon -Rt httpd_sys_rw_content_t /var/www/html/uploads/

#3 Check current context

View SELinux context of files. The -Z flag shows the security context alongside standard permissions.
$ ls -lZ /var/www/html/
Output: system_u:object_r:httpd_sys_content_t:s0 index.html

#4 Copy context from reference file

Set the context of new-page.html to match the existing index.html. Useful when adding files.
$ sudo chcon --reference=/var/www/html/index.html /var/www/html/new-page.html

#5 Restore default contexts

Reset file contexts to the default policy values. Undoes any chcon changes. Always use this before chcon for troubleshooting.
$ sudo restorecon -Rv /var/www/html/

#6 Make permanent context change

For permanent changes, use semanage fcontext + restorecon instead of chcon. Survives relabeling.
$ sudo semanage fcontext -a -t httpd_sys_content_t "/srv/mysite(/.*)?" && sudo restorecon -Rv /srv/mysite/

Tips & Best Practices

chcon changes are temporary: chcon changes are lost when restorecon runs or the filesystem is relabeled. For permanent changes, use semanage fcontext followed by restorecon.
Troubleshoot with audit2why: When SELinux blocks access, check: sudo ausearch -m AVC --start today | audit2why. This tells you exactly what context change is needed.
Common web types: httpd_sys_content_t (read-only web content), httpd_sys_rw_content_t (read-write), httpd_sys_script_exec_t (CGI scripts), httpd_log_t (log files).
Check SELinux status: getenforce shows current mode: Enforcing (active), Permissive (logging only), Disabled. Use sestatus for detailed info.

Frequently Asked Questions

How do I fix SELinux permission denied errors?
First check the denial: sudo ausearch -m AVC --start today | audit2why. Then set the correct context: chcon -t correct_type file, or use semanage fcontext for permanent changes.
What is the difference between chcon and semanage fcontext?
chcon changes context temporarily (lost on relabel). semanage fcontext adds a permanent rule to SELinux policy, and restorecon applies it. Use semanage for production.
How do I check SELinux context of files?
Use ls -Z to see file contexts: ls -lZ /path/to/file. For processes: ps auxZ. For ports: semanage port -l.
Should I disable SELinux to fix access problems?
No. Disabling SELinux removes an important security layer. Instead, use audit2why to understand the denial and set the correct context with chcon or semanage fcontext.

Related Commands

ls

List directory contents and file information

More Firewall & Security Commands

apparmor_parser

Load and manage AppArmor security profiles

 auditctl

Control the Linux audit system

 certbot

Lets Encrypt client for obtaining SSL/TLS certificates

 fail2ban-client

Fail2ban client to manage ban rules

 firewall-cmd

firewalld command line client (RHEL/CentOS)

 gpg

GNU Privacy Guard - encrypt and sign data

 iptables

Configure Linux kernel packet filtering firewall rules

 lynis

Security auditing and hardening tool

 md5sum

Compute and verify MD5 message digests

 nft

nftables command line tool (modern firewall)

 openssl

OpenSSL command line tool for cryptography and SSL/TLS

 sha256sum

Compute and verify SHA-256 message digests
chage Command 📋 All Commands chgrp Command →

Master Linux with Professional eBooks

Curated IT eBooks covering Linux, DevOps, Cloud, and more

Browse Books →