10 Linux restorecon Command Examples to Restore SELinux Context

10 Linux restorecon Command Examples to Restore SELinux Context

SELinux RestoreconOn your Linux server, having proper SELinux security context for files and directories is very important.

When you add your custom file to a directory that is already managed by SELinux policy, and if your custom file doesn’t have the proper SELinux context, then you will not get the expected result.

restorecon stands for Restore SELinux Context.

restorecon command will reset the SELinux security context for files and directories to its default values. This will only reset the type attribute of SELinux context.

In this tutorial, we’ll explain how to use restorecon command with some practical examples.

1. Restore SELinux Context of a File

In the following example, index.html file has “user_home_t” in the SELinux context for the type. This is wrong, and apache will not be able to serve this file. You’ll see permission denied in the error_log for the apache with this security context.

  # cd /var/www/html    # ls -lZ index.html   -rw-rw-r--. centos centos unconfined_u:object_r:user_home_t:s0 index.html  

Note: The Z (uppercase Z) option in the above ls command will display the SELinux context for a particular file.

When we are using the restorecon command, we really don’t have to know the correct original security context for the file. restorecon will figure that out for us automatically.

The following example will restore the security context of index.html to the proper value. As you see below, it has reset the type portion of the SELinux context to “httpd_sys_content_t”. This is the correct type. Now, apache will be able to serve this file without any error.

  # restorecon index.html    # ls -lZ index.html   -rw-rw-r--. centos centos unconfined_u:object_r:httpd_sys_content_t:s0 index.html  

2. Display Security Context Change on Screen

By default, when you are executing restorecon command, it will not tell you whether it changed the file’s security linux context.

v stands for verbose. The -v option will display on the screen the previous security context and the newly changed selinux context as shown below.

  # restorecon -v index.html   restorecon reset /var/www/html/index.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0  

3. Use wildcard to Process Multiple Objects

Just like any other Linux command, you can also use wildcards for filenames as shown below.

This will affect all the files ending with .html extension in the current directory

  restorecon -v *.html  

This will affect all the files under the current directory.

  restorecon -v *  

This will affect all the files under /var/www/html directory.

  restorecon -v /var/www/html/*  

This will affect all the files ending with either .htm (or) .html (or) .htm with any other single character at the end.

  restorecon -v *.htm?  

4. Process Files and Directories Recursively

You can also reset the security context of the files recursively. Use -R option as shown below. Here we are combining R with v option.

This will reset the context or all the files in /var/www/html and under its subdirectories.

  # restorecon -vR /var/www/html  restorecon reset /var/www/html/sales/graph.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0  

You can also use lower-case r for recursive. The following is exactly same as the above command.

  # restorecon -vr /var/www/html  

5. Save List of Files with Incorrect SELinux Context

When you are resetting the SELinux context for a large set of files, if you are interested to see only the changed file, we can use the -v option as previously explained. But, this will only display it on the screen.

If you want to capture the list of files with incorrect security context in an output file, use the -o option.

o stands for output file.

In the following example, we are storing the list of files that got affected by the restorecon command in the changed.log file.

  # restorecon -vR -o changed.log /var/www/html  restorecon reset /var/www/html/about.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0  restorecon reset /var/www/html/contact.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0  restorecon reset /var/www/html/data.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0  restorecon reset /var/www/html/index.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0  restorecon reset /var/www/html/sales context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0  restorecon reset /var/www/html/sales/graph.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0  

As we expect this changed.log file will contain the list of affected filenames along with full path as shown below.

  # cat changed.log  /var/www/html/about.html  /var/www/html/contact.html  /var/www/html/data.html  /var/www/html/index.html  /var/www/html/sales  /var/www/html/sales/graph.html  

6. Restore Context Based on Input File

You can also restore the security context of a list of files that you have from an input file.

In the following, under /var/www/html directory, all these files currently has wrong security context.

  # ls -lZ  -rw-rw-r--. centos centos unconfined_u:object_r:user_home_t:s0 about.html  -rw-rw-r--. centos centos unconfined_u:object_r:user_home_t:s0 contact.html  -rw-rw-r--. centos centos unconfined_u:object_r:user_home_t:s0 data.html  -rw-rw-r--. centos centos unconfined_u:object_r:user_home_t:s0 index.html  drwxrwxr-x. centos centos unconfined_u:object_r:user_home_t:s0 sales  

Create a input.txt file as shown below, which will have only two files. Here should give specify the full-path of the filename including the directory.

  # cat input.txt  /var/www/html/about.html  /var/www/html/data.html  

To specify this input file in the restorecon, use the -f option as shown below. This will change the SELinux context for only about.html and data.html as shown below.

  # restorecon -vf input.txt   restorecon reset /var/www/html/about.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0  restorecon reset /var/www/html/data.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0  

Use ls -lZ command to verify that only those two files security context is changed.

  # ls -lZ  -rw-rw-r--. centos centos unconfined_u:object_r:httpd_sys_content_t:s0 about.html  -rw-rw-r--. centos centos unconfined_u:object_r:user_home_t:s0 contact.html  -rw-rw-r--. centos centos unconfined_u:object_r:httpd_sys_content_t:s0 data.html  -rw-rw-r--. centos centos unconfined_u:object_r:user_home_t:s0 index.html  -rw-r--r--. root   root   unconfined_u:object_r:httpd_sys_content_t:s0 input.txt  drwxrwxr-x. centos centos unconfined_u:object_r:user_home_t:s0 sales  

Note: Instead of specifying input.txt, you can also specify – which will ask for list of input files from the standard input.

7. Ignore Files that Doesn’t Exist

In the following example, we have created an input.txt which contains list of several files. We’ll use this list to reset the security context.

  # cat input.txt   /var/www/html/about.html  /var/www/html/meeting.html  /var/www/html/directions.html  /var/www/html/data.html  

But, as shown below, this will display the error message when a particular file in the above list is not present.

  # restorecon -f input.txt  restorecon:  lstat(/var/www/html/meeting.html) failed:  No such file or directory  restorecon:  lstat(/var/www/html/directions.html) failed:  No such file or directory  

To avoid this, you can use -i option. i stands for ignore. As you see below, the following command with the -i option doesn’t give any of the above error message about the missing file. This will simply ignore those missing files and move-on with the rest of the files in the input.txt.

  # restorecon -if input.txt  #  

8. Perform only Dry-Run of Restore SELinux Context

Instead of really changing the SELinux context of the files, you can just view what files might potentially get changed by using -n option.

The -n option is like a dry-run.

When you use this, it will go through all the motions of executing the restorecon command, but will not really do anything.

As you see below, we’ve executed the restorecon with -n option on all the files under /var/www/html directory.

  # restorecon -nv /var/www/html/*  restorecon reset /var/www/html/about.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0  restorecon reset /var/www/html/contact.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0  restorecon reset /var/www/html/data.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0  restorecon reset /var/www/html/index.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0  restorecon reset /var/www/html/sales context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0  

Eventhough the above restorecon output shows that the SELinux context for several files are changed, it didn’t really do anything, as we used the -n option.

When you do the ls -lZ as shown below, you can see that the SELinux context was not really changed.

  # ls -lZ /var/www/html  -rw-rw-r--. centos centos unconfined_u:object_r:user_home_t:s0 about.html  -rw-rw-r--. centos centos unconfined_u:object_r:user_home_t:s0 contact.html  -rw-rw-r--. centos centos unconfined_u:object_r:user_home_t:s0 data.html  -rw-rw-r--. centos centos unconfined_u:object_r:user_home_t:s0 index.html  drwxrwxr-x. centos centos unconfined_u:object_r:user_home_t:s0 sales  

9. Display Current Progress during Big Operation

When you are restoring the SELinux context of several files, the command might take sometime. If you want to know what the command is currently doing, you can -p option.

The -p option will display the number of files it has processed so far in 1000 file increment. p stands for progress.

As you see below, here I’m resetting the SELinux context of all the files under /var directory recursively with -p option.

This shows that as of now, 2k files (2000 files) are processed.

  # restorecon -pr /var  2k  

Note: If you are resetting the SELinux context for all the files in your operating system using the -p option, it will show the percentage complete currently.

10. Exclude Directories to be Processed

You can also exclude the directory to be processed using -e option. e stands for Exclude.

In the following example, we are processing all the files under /var/www/html directory, but excluding the files from /var/www/html/sales sub-directory.

  # restorecon -e /var/www/html/sales -Rv /var/www/html  restorecon reset /var/www/html/about.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0  restorecon reset /var/www/html/contact.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0  restorecon reset /var/www/html/data.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0  restorecon reset /var/www/html/index.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0  

Please note that you should use the full-path of the directory in the -e option. If not, you’ll get the following error message.

  # restorecon -e sales -Rv /var/www/html  Full path required for exclude: sales.  

You can also exclude multiple directories by providing multiple -e option as shown below.

The following will exclude both sales and marketing directory from processing.

  restorecon -e /var/www/html/sales -e /var/www/html/marketing -Rv /var/www/html  

If you enjoyed this article, you might also like..

  1. 50 Linux Sysadmin Tutorials
  2. 50 Most Frequently Used Linux Commands (With Examples)
  3. Top 25 Best Linux Performance Monitoring and Debugging Tools
  4. Mommy, I found it! – 15 Practical Linux Find Command Examples
  5. Linux 101 Hacks 2nd Edition eBook Linux 101 Hacks Book

Leave a Reply

Your email address will not be published. Required fields are marked *