Most SELinux administration work is label and context work. Once you know how to inspect labels, restore expected types, and adjust booleans intentionally, many denials become straightforward to resolve.
Table of Contents
This post focuses on practical commands you will use regularly when managing SELinux systems.
Context Basics
- Context format and what matters most
- Inspect labels on files and processes
- How process and file types interact
Daily Operations
- chcon vs restorecon and when each fits
- Preview persistent labeling with semanage fcontext
- Tune booleans without weakening policy
- Use runcon for one-off tests
- Container relabeling with :Z and :z
Series Navigation
Context format and what matters most
A SELinux context is usually written as user:role:type:level. In most operations and troubleshooting, the type field drives the outcome you care about.
For example:
system_u:object_r:httpd_sys_content_t:s0
system_u:system_r:httpd_t:s0The first label is a file object type and the second is a process domain. Policy decides what httpd_t can do with httpd_sys_content_t.
Inspect labels on files and processes
Use these commands early in troubleshooting to compare expected and actual contexts.
ls -Z /var/www/html
ps -eZ | head -20
id -Z
stat -Z /var/www/html/index.htmlEach command gives a different view:
ls -Zshows file and directory labels in path listingsps -eZshows process domains for running servicesid -Zshows your current user context in the active sessionstat -Zgives precise context for one object
How process and file types interact
SELinux policy does not only care about user identity. It checks whether a process domain is allowed to perform a specific action on an object type.
A common web example:
httpd_treadinghttpd_sys_content_tis normally allowedhttpd_twritinghttpd_sys_content_tis typically deniedhttpd_twritinghttpd_sys_rw_content_tcan be allowed by policy
This model is why relabeling content correctly usually matters more than chmod changes.
chcon vs restorecon and when each fits
chcon directly modifies an object label, but that change can be overwritten by future relabel operations. restorecon applies labels based on policy rules and local semanage fcontext mappings.
Use this pattern for durable fixes:
sudo restorecon -Rv /var/www/htmlUse chcon only for short tests when you intentionally want a temporary change.
Preview persistent labeling with semanage fcontext
Persistent labeling rules belong in SELinux policy mappings. semanage fcontext lets you define expected types for paths, then restorecon applies them.
sudo semanage fcontext -l | head -20
sudo semanage fcontext -a -t httpd_sys_content_t '/srv/myapp(/.*)?'
sudo restorecon -Rv /srv/myappPost 4 covers this workflow in depth, including regex scope and rule maintenance.
Tune booleans without weakening policy
Booleans are policy toggles created by policy authors for common runtime choices. They are often a cleaner fix than adding custom allow rules.
getsebool -a | grep httpd
sudo setsebool httpd_can_network_connect on
sudo setsebool -P httpd_can_network_connect onGuidance for boolean use:
- Use
setseboolwithout-Pto validate behavior first - Add
-Ponly after confirming the change should persist across reboot - Enable only the boolean needed for the target behavior
Use runcon for one-off tests
runcon starts a command under a selected context, which can help validate whether a domain-specific restriction is the source of a denial.
runcon -t httpd_t -- cat /srv/myapp/config.ymlTreat runcon as a diagnostic tool, not a replacement for correct service configuration.
Container relabeling with :Z and :z
For container bind mounts, relabeling options can prevent confusing denials when container processes access host content.
podman run --rm -v /srv/appdata:/data:Z registry.example.com/myimage:latest
podman run --rm -v /srv/shared:/data:z registry.example.com/myimage:latest- Use
:Zfor private content used by one container workload - Use
:zfor shared content used by multiple container workloads
Series navigation
With contexts and booleans in place, the next step is reading AVC denials and applying targeted fixes with confidence.
Next in this series
Next, we break down AVC denials with ausearch, audit2why, and a repeatable troubleshooting flow that avoids unsafe broad exceptions.