linux chcon命令介绍及使用案例
chcon 命令是 Linux 系统中用于更改文件和目录的 SELinux 安全上下文的工具。它允许用户修改文件的安全标签,以便在 SELinux 启用的环境中控制文件的访问权限。
基本语法bashchcon [OPTION]... CONTEXT FILE...CONTEXT:要设置的新安全上下文,可以是完整的上下文或其部分(用户、角色、类型、范围)。FILE:要操作的文件或目录。常用选项-R:递归地更改目录及其内容的安全上下文。--reference=RFILE:使用参考文件的安全上下文来设置目标文件的上下文。-u USER:仅更改安全上下文中的用户部分。-r ROLE:仅更改安全上下文中的角色部分。-t TYPE:仅更改安全上下文中的类型部分。-l RANGE:仅更改安全上下文中的范围部分。命令:
root@meng:~# which chcon
/usr/bin/chcon
root@meng:~# chcon
chcon: missing operand
Try 'chcon --help' for more information.
root@meng:~# chcon --help
Usage: chcon [OPTION]... CONTEXT FILE...
or: chcon [OPTION]... [-u USER] [-r ROLE] [-l RANGE] [-t TYPE] FILE...
or: chcon [OPTION]... --reference=RFILE FILE...
Change the SELinux security context of each FILE to CONTEXT.
With --reference, change the security context of each FILE to that of RFILE.
Mandatory arguments to long options are mandatory for short options too.
--dereference affect the referent of each symbolic link (this is
the default), rather than the symbolic link itself
-h, --no-dereference affect symbolic links instead of any referenced file
-u, --user=USER set user USER in the target security context
-r, --role=ROLE set role ROLE in the target security context
-t, --type=TYPE set type TYPE in the target security context
-l, --range=RANGE set range RANGE in the target security context
--no-preserve-root do not treat '/' specially (the default)
--preserve-root fail to operate recursively on '/'
--reference=RFILE use RFILE's security context rather than specifying
a CONTEXT value
-R, --recursive operate on files and directories recursively
-v, --verbose output a diagnostic for every file processed
The following options modify how a hierarchy is traversed when the -R
option is also specified. If more than one is specified, only the final
one takes effect.
-H if a command line argument is a symbolic link
to a directory, traverse it
-L traverse every symbolic link to a directory
encountered
-P do not traverse any symbolic links (default)
--help display this help and exit
--version output version information and exit
GNU coreutils online help: <https://www.gnu.org/software/coreutils/>
Report any translation bugs to <https://translationproject.org/team/>
Full documentation <https://www.gnu.org/software/coreutils/chcon>
or available locally via: info '(coreutils) chcon invocation'
命令案例:
root@meng:~# ls -lZ meng.txt
-rw-r--r--. 1 root root unconfined_u:object_r:user_tmp_t:s0 45 Aug 22 09:37 meng.txt
root@meng:~# ls -al meng.txt
-rw-r--r--. 1 root root 45 Aug 22 09:37 meng.txt
root@meng:~# chcon -u system_u meng.txt
root@meng:~# ls -lZ meng.txt
-rw-r--r--. 1 root root system_u:object_r:user_tmp_t:s0 45 Aug 22 09:37 meng.txt
root@meng:~# ls meng.txt
meng.txt
root@meng:~# ls -al meng.txt
-rw-r--r--. 1 root root 45 Aug 22 09:37 meng.txt
注意事项chcon 命令仅在启用了 SELinux 的系统上有效。如果 SELinux 未启用,运行该命令将会失败。使用 chcon 更改的安全上下文可能会被其他命令(如 restorecon)覆盖,因此在需要保持上下文时,可能需要使用 restorecon 来恢复默认的安全上下文。