RUNCON(1) General Commands Manual RUNCON(1)

runconalter and consume SELinux context

runcon context program [argument]…
runcon    [-u user] [-r role] [-t type] [-l range] program [argument]… (with at least one of -urtl)
runcon -c [-u user] [-r role] [-t type] [-l range] program [argument]…

Without program, writes the current SELinux security context, followed by a newline, to the standard output stream.

Otherwise, executes program arguments with a different context, if valid:

with context
with at least one of -urtl
() with the specified fields altered,
with -c
the context computed to label a new object, from getcon() to the filesystem context of program, in the "process" security class, with fields overriden as specified by -urtl, if any.

, --compute
Pre-compute context transition, cf. DESCRIPTION.
, --user=user
Set user (the first field) to user.
, --role=role
Set role (the second field) to role.
, --type=type
Set type (the third field) to type.
, --range=range
Set level-range (the fourth field) to range.

In which program is searched when requested (except with -c), confer execvp(3).

program wasn't found.
program exists, but couldn't be executed for a different reason.
an error occurred in runcon (SELinux is not active, the final context or a field is invalid, &c.).
All others
returned by program, if executed, or .

runcon(1), getcon(3), getfscon(3), security_check_context(3), setexeccon(3), selinux(8)

Compatible with the GNU system, which exits for set-up errors and executes program from the PATH even with -c, but uses it verbatim as a getfscon() argument — this means that runcon -c true will fail unless there's a true file in the current working directory and, if there is, context will be used for the computation, rather than /bin/true's. This simply begs for a trojan horse scenario. Cf. Bug#1013924: coreutils: runcon -c getfscon()s program verbatim but execve()s it; trojan moment?.

July 25, 2022 voreutils pre-v0.0.0-latest