Examples of restorecon command

Time:2021-6-11

When you add a custom file to a directory already managed by SELinux policy, if the custom file does not have the appropriate SELinux context, you will not get the expected results. The restore command means to restore the SELinux context. The restorecon command resets the SELinux security context of files and directories to the default values. This only resets the type properties of the SELinux context.
1. Recover the SELinux context of the file
In the following example, the index. HTML file has “user” in the context of SELinux_ home_ “T” context type. This context type, Apache service will not be able to access.

[[email protected] ~]# ll -Z /var/www/html/index.html
-rw-rw-r–. root root unconfined_u:object_r:user_home_t:s0 13 Jan 7 11:14 /var/www/html/index.html
Note: the – Z option in the LS command above displays the SELinux context for a specific file. When we use the restorecon command, we don’t really need to know the original security context of the file. Restorecon will fix it automatically.

The following example will restore the security context of index. HTML to the appropriate value. It has reset the type of SELinux context to “httpd” as shown below_ sys_ content_ Now Apache will be able to service the file without any errors.

[[email protected] ~]# restorecon /var/www/html/index.html
[[email protected] ~]# ll -Z /var/www/html/index.html
-rw-r–r–. 1 root root unconfined_u:object_r:httpd_sys_content_t:s0 13 Jan 7 11:14 /var/www/html/index.html
2. Output information when changing the security context
By default, when the restorecon command is executed, it does not prompt if the security context of the file has changed.

[[email protected]ocalhost ~]# restorecon -v /var/www/html/index.html
Relabeled /var/www/html/index.html from unconfined_u:object_r:admin_home_t:s0 to unconfined_u:object_r:httpd_sys_content_t:s0
The restorecon command uses instances

3. Use wildcards to handle multiple objects
The following example will modify the security context of all files under the directory.

[[email protected] ~]# restorecon -v /var/www/html/*
The restorecon command uses instances

4. Recursively handle files and directories
You can also use the – R option to recursively reset the security context of a file.

[[email protected] ~]# restorecon -Rv /var/www/html/
Relabeled /var/www/html/sales from unconfined_u:object_r:admin_home_t:s0 to unconfined_u:object_r:httpd_sys_content_t:s0
Relabeled /var/www/html/sales/graph.html from unconfined_u:object_r:admin_home_t:s0 to unconfined_u:object_r:httpd_sys_content_t:s0
The restorecon command uses instances

5. Restore the context according to the input file
You can save the file or folder path that needs to restore the security context in the file, and use the – f option to specify the file to restore. In the following / var / www / HTML / testdir directory and the following specified files, you need to restore the default security context:
The restorecon command uses instances
First, create a file input.txt, and fill in the directory or the full path of the file that needs to restore the default security context.

[[email protected] ~]# vim input.txt
[[email protected] ~]# cat input.txt
/var/www/html/testdir
/var/www/html/testdir/file1.txt
/var/www/html/testdir/file3.txt
/var/www/html/testdir/file5.txt
/var/www/html/testdir/file7.txt
/var/www/html/testdir/file9.txt
The restorecon command uses instances
Use restorecon to recover:

[[email protected] ~]# restorecon -Rvf input.txt
Relabeled /var/www/html/testdir from unconfined_u:object_r:admin_home_t:s0 to unconfined_u:object_r:httpd_sys_content_t:s0
Relabeled /var/www/html/testdir/file1.txt from unconfined_u:object_r:admin_home_t:s0 to unconfined_u:object_r:httpd_sys_content_t:s0
Relabeled /var/www/html/testdir/file2.txt from unconfined_u:object_r:admin_home_t:s0 to unconfined_u:object_r:httpd_sys_content_t:s0
Relabeled /var/www/html/testdir/file3.txt from unconfined_u:object_r:admin_home_t:s0 to unconfined_u:object_r:httpd_sys_content_t:s0
Relabeled /var/www/html/testdir/file4.txt from unconfined_u:object_r:admin_home_t:s0 to unconfined_u:object_r:httpd_sys_content_t:s0
Relabeled /var/www/html/testdir/file5.txt from unconfined_u:object_r:admin_home_t:s0 to unconfined_u:object_r:httpd_sys_content_t:s0
Relabeled /var/www/html/testdir/file6.txt from unconfined_u:object_r:admin_home_t:s0 to unconfined_u:object_r:httpd_sys_content_t:s0
Relabeled /var/www/html/testdir/file7.txt from unconfined_u:object_r:admin_home_t:s0 to unconfined_u:object_r:httpd_sys_content_t:s0
Relabeled /var/www/html/testdir/file8.txt from unconfined_u:object_r:admin_home_t:s0 to unconfined_u:object_r:httpd_sys_content_t:s0
Relabeled /var/www/html/testdir/file9.txt from unconfined_u:object_r:admin_home_t:s0 to unconfined_u:object_r:httpd_sys_content_t:s0
Relabeled /var/www/html/testdir/file10.txt from unconfined_u:object_r:admin_home_t:s0 to unconfined_u:object_r:httpd_sys_content_t:s0
The restorecon command uses instances

6. Exclude a directory
You can also use the – e option to exclude directories that do not need to recover the security context.
In the following example, we are processing all the files in the / var / www / HTML directory, but not the files in the / var / www / HTML / sales subdirectory.

[[email protected] html]# restorecon -e /var/www/html/sales -Rv /var/www/html
The restorecon command uses instances
You can also provide multiple – e options to exclude multiple files or folders.

summary
The restorecon command resets the SELinux security context of files and directories to the default values. This only resets the type properties of the SELinux context.