When you add a custom file to a directory that is already managed by SELinux policy, if the custom file does not have the appropriate SELinux context, you will not get the expected results. RESTORECON means to restore the SELinux context. The restorecon command resets the SELinux security context for files and directories to default values. This will only reset the type property of the SELinux context. In the following example, the index.html file has the “user_home_t” context type in the SELinux context. This context type will be inaccessible to the Apache service.
[root@localhost ~]# ll -Z /var/www/html/index.html -rw-rw-r–. root root unconfined_u:object_r:user_home_t:s0 13 Jan 7 11:14 /var/www/html/index.html Note: The -z option in the ls command above will show the SELinux context for the specific file. When we use the restorecon command, we don’t really need to know the original security context of the file. Restorecon will fix it automatically.
The following example restores the security context of index.html to the appropriate value. As shown below, it has reset the type of the SELinux context to “httpd_sys_content_t”, and Apache will now be able to service this file without any errors.
[root@localhost ~]# restorecon /var/www/html/index.html [root@localhost ~]# ll -Z /var/www/html/index.html -rw-r–r–. 1 root root unconfined_u:object_r:httpd_sys_content_t:s0 13 Jan 7 11:14 /var/www/html/index.html 2. By default, when the restorecon command is executed, it does not prompt if the security context of a file has been changed.
[root@localhost ~]# restorecon -v /var/www/html/index.html Relabeled /var/www/html/index.html from Unconfined_u :object_r:admin_home_t:s0 to unconfined_u:object_r:httpd_sys_content_t:s0 The restorecon command uses an instance
3. Using wildcards to handle multiple objects The following instance will modify the security context of all files under the directory.
[root@localhost ~]# restorecon -v /var/www/html/* Restorecon uses instances
Recursive Handling Files and Directories You can also use the -R option to recursively reset the security context of a file.
[root@localhost ~]# restorecon -Rv /var/www/html/ Relabeled /var/www/html/sales from unconfined_u:object_r:admin_home_t:s0 to unconfined_u:object_r:httpd_sys_content_t:s0 Relabeled /var/www/html/sales/graph.html from unconfined_u:object_r:admin_home_t:s0 to Unconfined_u :object_r:httpd_sys_content_t:s0 The restorecon command uses the instance
5. According to the input file restore context, you can save the file or folder path that needs to restore the security context in the file. Use the -f option to specify the file to restore. The default security context needs to be restored in the /var/www/html/testdir directory below and the files specified below: The restorecon command uses the instance to first create a file input.txt and fill it with the directory or full path of the file to which the default security context needs to be restored.
[root@localhost ~]# vim input.txt [root@localhost ~]# cat input.txt /var/www/html/testdir /var/www/html/testdir/file1.txt /var/www/html/testdir/file3.txt /var/www/html/testdir/file5.txt / var/WWW/HTML/testdir/file7. TXT/var/WWW/HTML/testdir/file9. TXT restorecon command using instance restorecon commands using the instance The following use restorecon to restore:
[root@localhost ~]# restorecon -Rvf input.txt Relabeled /var/www/html/testdir from unconfined_u:object_r:admin_home_t:s0 to unconfined_u:object_r:httpd_sys_content_t:s0 Relabeled /var/www/html/testdir/file1.txt from unconfined_u:object_r:admin_home_t:s0 to unconfined_u:object_r:httpd_sys_content_t:s0 Relabeled /var/www/html/testdir/file2.txt from unconfined_u:object_r:admin_home_t:s0 to unconfined_u:object_r:httpd_sys_content_t:s0 Relabeled /var/www/html/testdir/file3.txt from unconfined_u:object_r:admin_home_t:s0 to unconfined_u:object_r:httpd_sys_content_t:s0 Relabeled /var/www/html/testdir/file4.txt from unconfined_u:object_r:admin_home_t:s0 to unconfined_u:object_r:httpd_sys_content_t:s0 Relabeled /var/www/html/testdir/file5.txt from unconfined_u:object_r:admin_home_t:s0 to unconfined_u:object_r:httpd_sys_content_t:s0 Relabeled /var/www/html/testdir/file6.txt from unconfined_u:object_r:admin_home_t:s0 to unconfined_u:object_r:httpd_sys_content_t:s0 Relabeled /var/www/html/testdir/file7.txt from unconfined_u:object_r:admin_home_t:s0 to unconfined_u:object_r:httpd_sys_content_t:s0 Relabeled /var/www/html/testdir/file8.txt from unconfined_u:object_r:admin_home_t:s0 to unconfined_u:object_r:httpd_sys_content_t:s0 Relabeled /var/www/html/testdir/file9.txt from unconfined_u:object_r:admin_home_t:s0 to unconfined_u:object_r:httpd_sys_content_t:s0 Relabeled /var/www/html/testdir/file10.txt from unconfined_u:object_r:admin_home_t:s0 to Unconfined_u :object_r:httpd_sys_content_t:s0 The restorecon command uses the instance
You can also use the -e option to exclude directories that do not need to restore the security context. In the following example, we are working with all the files in the /var/www/html directory, but not the files in the /var/www/html/sales subdirectory.
[root@localhost HTML]# restorecon -e /var/www/html/sales-rv /var/www/html Restorecon uses instances You can also provide multiple -e options to exclude multiple files or folders.
The summary restorecon command resets the SELinux security context for files and directories to default values. This will only reset the type property of the SELinux context.