On your Linux server, having proper SELinux security context for files and directories is very important.
When you add your custom file to a directory that is already managed by SELinux policy, and if your custom file doesn’t have the proper SELinux context, then you will not get the expected result.
restorecon stands for Restore SELinux Context.
restorecon command will reset the SELinux security context for files and directories to its default values. This will only reset the type attribute of SELinux context.
In this tutorial, we’ll explain how to use restorecon command with some practical examples.
1. Restore SELinux Context of a File
In the following example, index.html file has “user_home_t” in the SELinux context for the type. This is wrong, and apache will not be able to serve this file. You’ll see permission denied in the error_log for the apache with this security context.
# cd /var/www/html # ls -lZ index.html -rw-rw-r--. centos centos unconfined_u:object_r:user_home_t:s0 index.html
Note: The Z (uppercase Z) option in the above ls command will display the SELinux context for a particular file.
When we are using the restorecon command, we really don’t have to know the correct original security context for the file. restorecon will figure that out for us automatically.
The following example will restore the security context of index.html to the proper value. As you see below, it has reset the type portion of the SELinux context to “httpd_sys_content_t”. This is the correct type. Now, apache will be able to serve this file without any error.
# restorecon index.html # ls -lZ index.html -rw-rw-r--. centos centos unconfined_u:object_r:httpd_sys_content_t:s0 index.html
2. Display Security Context Change on Screen
By default, when you are executing restorecon command, it will not tell you whether it changed the file’s security linux context.
v stands for verbose. The -v option will display on the screen the previous security context and the newly changed selinux context as shown below.
# restorecon -v index.html restorecon reset /var/www/html/index.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
3. Use wildcard to Process Multiple Objects
Just like any other Linux command, you can also use wildcards for filenames as shown below.
This will affect all the files ending with .html extension in the current directory
restorecon -v *.html
This will affect all the files under the current directory.
restorecon -v *
This will affect all the files under /var/www/html directory.
restorecon -v /var/www/html/*
This will affect all the files ending with either .htm (or) .html (or) .htm with any other single character at the end.
restorecon -v *.htm?
4. Process Files and Directories Recursively
You can also reset the security context of the files recursively. Use -R option as shown below. Here we are combining R with v option.
This will reset the context or all the files in /var/www/html and under its subdirectories.
# restorecon -vR /var/www/html restorecon reset /var/www/html/sales/graph.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
You can also use lower-case r for recursive. The following is exactly same as the above command.
# restorecon -vr /var/www/html
5. Save List of Files with Incorrect SELinux Context
When you are resetting the SELinux context for a large set of files, if you are interested to see only the changed file, we can use the -v option as previously explained. But, this will only display it on the screen.
If you want to capture the list of files with incorrect security context in an output file, use the -o option.
o stands for output file.
In the following example, we are storing the list of files that got affected by the restorecon command in the changed.log file.
# restorecon -vR -o changed.log /var/www/html restorecon reset /var/www/html/about.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0 restorecon reset /var/www/html/contact.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0 restorecon reset /var/www/html/data.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0 restorecon reset /var/www/html/index.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0 restorecon reset /var/www/html/sales context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0 restorecon reset /var/www/html/sales/graph.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
As we expect this changed.log file will contain the list of affected filenames along with full path as shown below.
# cat changed.log /var/www/html/about.html /var/www/html/contact.html /var/www/html/data.html /var/www/html/index.html /var/www/html/sales /var/www/html/sales/graph.html
6. Restore Context Based on Input File
You can also restore the security context of a list of files that you have from an input file.
In the following, under /var/www/html directory, all these files currently has wrong security context.
# ls -lZ -rw-rw-r--. centos centos unconfined_u:object_r:user_home_t:s0 about.html -rw-rw-r--. centos centos unconfined_u:object_r:user_home_t:s0 contact.html -rw-rw-r--. centos centos unconfined_u:object_r:user_home_t:s0 data.html -rw-rw-r--. centos centos unconfined_u:object_r:user_home_t:s0 index.html drwxrwxr-x. centos centos unconfined_u:object_r:user_home_t:s0 sales
Create a input.txt file as shown below, which will have only two files. Here should give specify the full-path of the filename including the directory.
# cat input.txt /var/www/html/about.html /var/www/html/data.html
To specify this input file in the restorecon, use the -f option as shown below. This will change the SELinux context for only about.html and data.html as shown below.
# restorecon -vf input.txt restorecon reset /var/www/html/about.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0 restorecon reset /var/www/html/data.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
Use ls -lZ command to verify that only those two files security context is changed.
# ls -lZ -rw-rw-r--. centos centos unconfined_u:object_r:httpd_sys_content_t:s0 about.html -rw-rw-r--. centos centos unconfined_u:object_r:user_home_t:s0 contact.html -rw-rw-r--. centos centos unconfined_u:object_r:httpd_sys_content_t:s0 data.html -rw-rw-r--. centos centos unconfined_u:object_r:user_home_t:s0 index.html -rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 input.txt drwxrwxr-x. centos centos unconfined_u:object_r:user_home_t:s0 sales
Note: Instead of specifying input.txt, you can also specify – which will ask for list of input files from the standard input.
7. Ignore Files that Doesn’t Exist
In the following example, we have created an input.txt which contains list of several files. We’ll use this list to reset the security context.
# cat input.txt /var/www/html/about.html /var/www/html/meeting.html /var/www/html/directions.html /var/www/html/data.html
But, as shown below, this will display the error message when a particular file in the above list is not present.
# restorecon -f input.txt restorecon: lstat(/var/www/html/meeting.html) failed: No such file or directory restorecon: lstat(/var/www/html/directions.html) failed: No such file or directory
To avoid this, you can use -i option. i stands for ignore. As you see below, the following command with the -i option doesn’t give any of the above error message about the missing file. This will simply ignore those missing files and move-on with the rest of the files in the input.txt.
# restorecon -if input.txt #
8. Perform only Dry-Run of Restore SELinux Context
Instead of really changing the SELinux context of the files, you can just view what files might potentially get changed by using -n option.
The -n option is like a dry-run.
When you use this, it will go through all the motions of executing the restorecon command, but will not really do anything.
As you see below, we’ve executed the restorecon with -n option on all the files under /var/www/html directory.
# restorecon -nv /var/www/html/* restorecon reset /var/www/html/about.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0 restorecon reset /var/www/html/contact.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0 restorecon reset /var/www/html/data.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0 restorecon reset /var/www/html/index.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0 restorecon reset /var/www/html/sales context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
Eventhough the above restorecon output shows that the SELinux context for several files are changed, it didn’t really do anything, as we used the -n option.
When you do the ls -lZ as shown below, you can see that the SELinux context was not really changed.
# ls -lZ /var/www/html -rw-rw-r--. centos centos unconfined_u:object_r:user_home_t:s0 about.html -rw-rw-r--. centos centos unconfined_u:object_r:user_home_t:s0 contact.html -rw-rw-r--. centos centos unconfined_u:object_r:user_home_t:s0 data.html -rw-rw-r--. centos centos unconfined_u:object_r:user_home_t:s0 index.html drwxrwxr-x. centos centos unconfined_u:object_r:user_home_t:s0 sales
9. Display Current Progress during Big Operation
When you are restoring the SELinux context of several files, the command might take sometime. If you want to know what the command is currently doing, you can -p option.
The -p option will display the number of files it has processed so far in 1000 file increment. p stands for progress.
As you see below, here I’m resetting the SELinux context of all the files under /var directory recursively with -p option.
This shows that as of now, 2k files (2000 files) are processed.
# restorecon -pr /var 2k
Note: If you are resetting the SELinux context for all the files in your operating system using the -p option, it will show the percentage complete currently.
10. Exclude Directories to be Processed
You can also exclude the directory to be processed using -e option. e stands for Exclude.
In the following example, we are processing all the files under /var/www/html directory, but excluding the files from /var/www/html/sales sub-directory.
# restorecon -e /var/www/html/sales -Rv /var/www/html restorecon reset /var/www/html/about.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0 restorecon reset /var/www/html/contact.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0 restorecon reset /var/www/html/data.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0 restorecon reset /var/www/html/index.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
Please note that you should use the full-path of the directory in the -e option. If not, you’ll get the following error message.
# restorecon -e sales -Rv /var/www/html Full path required for exclude: sales.
You can also exclude multiple directories by providing multiple -e option as shown below.
The following will exclude both sales and marketing directory from processing.
restorecon -e /var/www/html/sales -e /var/www/html/marketing -Rv /var/www/html
Comments on this entry are closed.
Nice post. Very helpful. Thanks.