The basic command for changing a context is:

$ chcon CONTEXT FILE

Changes to a directory’s context is NOT automatically inherited by files and
subdirectories within, so one often uses the recursive mode “chcon -R”

There’s a couple of basic rules:
1.) A new file inherits the context of the parent directory
2.) However, a file moved with mv retains its original context

– So you can see how mv can upset the SELinux partitioning. Especially if you use e.g. sed to modify contents of a file, creating an interim file in /tmp, then swap back into place.

One could be tempted to use a recursive chcon relabeling, but that would be bad, because
a.) you wouldn’t necessarily know the right context for the subtree, and
b.) some branch further down the tree might have a different context applied, and you don’t want to trash it.

SILVER BULLET COMMAND

$ restorecon FILENAME

E.g. if your custom DNS script has buggered /etc/resolv.conf then:

$ restorecon /etc/resolv.conf