## context
```
# ls -Z /bin/file
unconfined_u:object_r:user_home_t:s0 /bin/file
```
list selinux context of file or directory  
user (unconfined_u), role (object_r), type (user_home_t), and level (s0)

### change type context
```
# semanage fcontext -a -t bin_t /bin/file
```
apply change
```
# restorecon -vR /bin
Relabeled /bin/file from unconfined_u:object_r:user_home_t:s0 to unconfined_u:object_r:bin_t:s0

```

### change user context
```
# semanage fcontext -m -t bin_t -s system_u /bin/file
```
apply change
```
# restorecon -vF /bin/file
Relabeled /usr/bin/file from unconfined_u:object_r:bin_t:s0 to system_u:object_r:bin_t:s0
# restorecon -R for recursive
```

## Containers

### volumes
` :z `  shared content label  
` :Z `  private unshared label  
` :ro,z ` combine read only and SElinux label  

### udica
[git](https://github.com/containers/udica)  
```
$ podman inspect $(podman ps -f name=<container name> -q) > container.json
# udica -j container.json  my_container
```

## denied access

see recent denials
```
# ausearch -m avc -ts recent
```