Restorecon stands for “Restore SELinux Context”.restorecon command will reset the SELinux security context for files and directories to its default values. This will only reset the type attribute of SELinux context.

On your Linux server, having proper SELinux security context for files and directories is very important.When you add your custom file to a directory that is already managed by SELinux policy, and if your custom file doesn’t have the proper SELinux context, then you will not get the expected result.

In this tutorial, we’ll explain how to use restorecon command with some practical examples.

 

1. Restore SELinux Context of a File

In the following example, index.html file has “user_home_t” in the SELinux context for the type. This is wrong, and apache will not be able to serve this file. You’ll see permission denied in the error_log for the apache with this security context.

 

# cd /var/www/html

# ls -lZ index.html 
-rw-rw-r--. centos centos unconfined_u:object_r:user_home_t:s0 index.html

Note: The Z (uppercase Z) option in the above ls command will display the SELinux context for a particular file.

The following example will restore the security context of index.html to the proper value. As you see below, it has reset the type portion of the SELinux context to “httpd_sys_content_t”. This is the correct type. Now, apache will be able to serve this file without any error.

# restorecon index.html

# ls -lZ index.html 
-rw-rw-r--. centos centos unconfined_u:object_r:httpd_sys_content_t:s0 index.html

2. Display Security Context Change on Screen

By default, when you are executing restorecon command, it will not tell you whether it changed the file’s security linux context.

v stands for verbose. The -v option will display on the screen the previous security context and the newly changed selinux context as shown below.

# restorecon -v index.html 
restorecon reset /var/www/html/index.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0

3. Use wildcard to Process Multiple Objects

Just like any other Linux command, you can also use wildcards for filenames as shown below.

This will affect all the files ending with .html extension in the current directory

restorecon -v *.html

This will affect all the files under the current directory.

restorecon -v *

This will affect all the files under /var/www/html directory.

restorecon -v /var/www/html/*

This will affect all the files ending with either .htm (or) .html (or) .htm with any other single character at the end.

restorecon -v *.htm?

[ad type=”banner”]

4. Process Files and Directories Recursively

You can also reset the security context of the files recursively. Use -R option as shown below. Here we are combining R with v option.

This will reset the context or all the files in /var/www/html and under its subdirectories.

# restorecon -vR /var/www/html
restorecon reset /var/www/html/sales/graph.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0

You can also use lower-case r for recursive. The following is exactly same as the above command.

# restorecon -vr /var/www/html

5. Save List of Files with Incorrect SELinux Context

When you are resetting the SELinux context for a large set of files, if you are interested to see only the changed file, we can use the -v option as previously explained. But, this will only display it on the screen.

If you want to capture the list of files with incorrect security context in an output file, use the -o option.

o stands for output file.

In the following example, we are storing the list of files that got affected by the restorecon command in the changed.log file.

# restorecon -vR -o changed.log /var/www/html
restorecon reset /var/www/html/about.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
restorecon reset /var/www/html/contact.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
restorecon reset /var/www/html/data.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
restorecon reset /var/www/html/index.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
restorecon reset /var/www/html/sales context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
restorecon reset /var/www/html/sales/graph.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0

As we expect this changed.log file will contain the list of affected filenames along with full path as shown below.

# cat changed.log
/var/www/html/about.html
/var/www/html/contact.html
/var/www/html/data.html
/var/www/html/index.html
/var/www/html/sales
/var/www/html/sales/graph.html

6. Restore Context Based on Input File

You can also restore the security context of a list of files that you have from an input file.

In the following, under /var/www/html directory, all these files currently has wrong security context.

# ls -lZ
-rw-rw-r--. centos centos unconfined_u:object_r:user_home_t:s0 about.html
-rw-rw-r--. centos centos unconfined_u:object_r:user_home_t:s0 contact.html
-rw-rw-r--. centos centos unconfined_u:object_r:user_home_t:s0 data.html
-rw-rw-r--. centos centos unconfined_u:object_r:user_home_t:s0 index.html
drwxrwxr-x. centos centos unconfined_u:object_r:user_home_t:s0 sales

Create a input.txt file as shown below, which will have only two files. Here should give specify the full-path of the filename including the directory.

# cat input.txt
/var/www/html/about.html
/var/www/html/data.html

To specify this input file in the restorecon, use the -f option as shown below. This will change the SELinux context for only about.html and data.html as shown below.

# restorecon -vf input.txt 
restorecon reset /var/www/html/about.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
restorecon reset /var/www/html/data.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0

Use ls -lZ command to verify that only those two files security context is changed.

# ls -lZ
-rw-rw-r--. centos centos unconfined_u:object_r:httpd_sys_content_t:s0 about.html
-rw-rw-r--. centos centos unconfined_u:object_r:user_home_t:s0 contact.html
-rw-rw-r--. centos centos unconfined_u:object_r:httpd_sys_content_t:s0 data.html
-rw-rw-r--. centos centos unconfined_u:object_r:user_home_t:s0 index.html
-rw-r--r--. root   root   unconfined_u:object_r:httpd_sys_content_t:s0 input.txt
drwxrwxr-x. centos centos unconfined_u:object_r:user_home_t:s0 sales

Note: Instead of specifying input.txt, you can also specify – which will ask for list of input files from the standard input.

[ad type=”banner”]

7. Ignore Files that Doesn’t Exist

In the following example, we have created an input.txt which contains list of several files. We’ll use this list to reset the security context.

# cat input.txt 
/var/www/html/about.html
/var/www/html/meeting.html
/var/www/html/directions.html
/var/www/html/data.html

But, as shown below, this will display the error message when a particular file in the above list is not present.

# restorecon -f input.txt
restorecon:  lstat(/var/www/html/meeting.html) failed:  No such file or directory
restorecon:  lstat(/var/www/html/directions.html) failed:  No such file or directory

To avoid this, you can use -i option. i stands for ignore. As you see below, the following command with the -i option doesn’t give any of the above error message about the missing file. This will simply ignore those missing files and move-on with the rest of the files in the input.txt.

# restorecon -if input.txt
#

8. Perform only Dry-Run of Restore SELinux Context

Instead of really changing the SELinux context of the files, you can just view what files might potentially get changed by using -n option.

The -n option is like a dry-run.

When you use this, it will go through all the motions of executing the restorecon command, but will not really do anything.

As you see below, we’ve executed the restorecon with -n option on all the files under /var/www/html directory.

# restorecon -nv /var/www/html/*
restorecon reset /var/www/html/about.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
restorecon reset /var/www/html/contact.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
restorecon reset /var/www/html/data.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
restorecon reset /var/www/html/index.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
restorecon reset /var/www/html/sales context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0

Eventhough the above restorecon output shows that the SELinux context for several files are changed, it didn’t really do anything, as we used the -n option.

When you do the ls -lZ as shown below, you can see that the SELinux context was not really changed.

# ls -lZ /var/www/html
-rw-rw-r--. centos centos unconfined_u:object_r:user_home_t:s0 about.html
-rw-rw-r--. centos centos unconfined_u:object_r:user_home_t:s0 contact.html
-rw-rw-r--. centos centos unconfined_u:object_r:user_home_t:s0 data.html
-rw-rw-r--. centos centos unconfined_u:object_r:user_home_t:s0 index.html
drwxrwxr-x. centos centos unconfined_u:object_r:user_home_t:s0 sales

9. Display Current Progress during Big Operation

When you are restoring the SELinux context of several files, the command might take sometime. If you want to know what the command is currently doing, you can -p option.

The -p option will display the number of files it has processed so far in 1000 file increment. p stands for progress.

As you see below, here I’m resetting the SELinux context of all the files under /var directory recursively with -p option.

This shows that as of now, 2k files (2000 files) are processed.

# restorecon -pr /var
2k

Note: If you are resetting the SELinux context for all the files in your operating system using the -p option, it will show the percentage complete currently.

[ad type=”banner”]

10. Exclude Directories to be Processed

You can also exclude the directory to be processed using -e option. e stands for Exclude.

In the following example, we are processing all the files under /var/www/html directory, but excluding the files from /var/www/html/sales sub-directory.

# restorecon -e /var/www/html/sales -Rv /var/www/html
restorecon reset /var/www/html/about.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
restorecon reset /var/www/html/contact.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
restorecon reset /var/www/html/data.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
restorecon reset /var/www/html/index.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0

Please note that you should use the full-path of the directory in the -e option. If not, you’ll get the following error message.

# restorecon -e sales -Rv /var/www/html
Full path required for exclude: sales.

You can also exclude multiple directories by providing multiple -e option as shown below.

The following will exclude both sales and marketing directory from processing.

restorecon -e /var/www/html/sales -e /var/www/html/marketing -Rv /var/www/html
[ad type=”banner”]

Categorized in: