|
Getting your Trinity Audio player ready... |
restorecon is made up of two words restore and context. restorecon command in linux does the same as per its name. restorecon command in linux used to Restore SELinux Context. In this post, we are going to share 12 restorecon linux commands examples.
In a real sense, restorecon command in linux resets the SELinux security context for files and directories to its default values. restorecon only resets the TYPE attribute of the SELinux context which is the major concern related to the SELinux context.
Let us see a little bit about what is SELinux Context?
Table of Contents
What is SELinux context
All folders and files are labeled in such a way that represents security-relevant information. This information is called the SELinux context on servers running SELinux.
For files, you can see this using the ls -Z command. Please see the below example.
# ls -Z file2 -rw-rw-r-- user2 group2 unconfined_u:object_r:user_home_t:s0 file2
Here SELinux provides a user (unconfined_u), a role (object_r), a type (user_home_t), and a level (s0). This information is used to make ACL access control list decisions.
Linux has multiple commands for managing the SELinux context for files. chcon, semanage fcontext, and restorecon commands in linux. We will have a focus on two commands in this post which is restorecon command in linux and semanage fcontext command in linux.
If you need to know more about chcon command in linux you can refer to this link where we have discussed on chcon command in linux with examples. Just to mention SELinux changes via chcon command in linux are not persistent. Persistent changes can be done only using semanage fcontext in conjunction with restorecon.
So let us see about restorecon command in linux. For understanding it the better way you can refer restorecon command man page displayed below.
# man restorecon restorecon(8) restorecon(8) NAME restorecon - restore file(s) default SELinux security contexts. SYNOPSIS restorecon [-o outfilename ] [-R] [-n] [-p] [-v] [-e directory ] pathname... restorecon -f infilename [-o outfilename ] [-e directory ] [-R] [-n] [-p] [-v] [-F] DESCRIPTION This manual page describes the restorecon program. This program is primarily used to reset the security context (type) (extended attrib utes) on one or more files. It can be run at any time to correct errors, to add support for new policy, or with the -n option it can just check whether the file contexts are all as you expect. If a file object does not have a context, restorecon will write the default context to the file objects extended attributes. If a file object has a context, restorecon will only modify the type portion of the security context. The -F option will force a replacement of the entire context. OPTIONS -i ignore files that do not exist -f infilename infilename contains a list of files to be processed by application. Use - for stdin. -e directory directory to exclude (repeat option for more than one directory.) -R -r change files and directories file labels recursively -n donot change any file labels. -o outfilename save list of files with incorrect context in outfilename. -i ignore files that do not exist -f infilename infilename contains a list of files to be processed by application. Use - for stdin. -e directory directory to exclude (repeat option for more than one directory.) -R -r change files and directories file labels recursively -n don’t change any file labels. -o outfilename save list of files with incorrect context in outfilename. -p show progress by printing * every 1000 files. -v show changes in file labels. -F Force reset of context to match file_context for customizable files, and the defau lt file context, changing the user, role, range portion as well as the type. NOTE: restorecon does not follow symbolic links.
1. How to restore SELinux context
# ls -Z file3 -rw-rw-r-- user group unconfined_u:object_r:samba_share_t:s0 file3
You can use the restorecon command to restore the SELinux context for file3. You can use the -v option to view what has been changed.
# /sbin/restorecon -v file3 restorecon reset file3 context unconfined_u:object_r:samba_share_t: s0->system_u:object_r:user_home_t:s0
2.How to change SELinux context -persistently
So now let us see how to fix the SELinux context for the user’s home directory. When output contains reset which confirms context was changed earlier and it was reset to system default configuration by restorecon.
If SELinux context for /var is changed, the weird issue may happen like the problem on logging files such as /var/log/messages and /var/log/secure.
In this case, how to properly fix the labels, we have to use semanage fcontext command with restorecon.
# semanage fcontext -a -e /home <path> # restorecon -R -v <path>
It will copy all file context that matches the directory and substitute /home. For home directories under the top-level directory.
You can execute commands like below.
# semanage fcontext -a -t home_root_t "/disk1" # semanage fcontext -a -e /home /disk1/home # restorecon -R -v /disk1
3. Changing a File’s Type
In this example, we will see changing a file’s type and no other attributes of the SELinux context.
Create a new file using touch command like below as root user.
# touch /etc/file2So by default newly-created files in the /etc/ directory are labeled with the etc_t type. Review below
# ls -Z /etc/file2 -rw-r--r-- rootroot unconfined_u:object_r:etc_t:s0 /etc/file2
Now run semanage fcontext as root user like below to change file 2 types to samba_share_t like below.
# /usr/sbin/semanage fcontext -a -t samba_share_t /etc/file2-a option here adds a new record, and -t option defines a type (samba_share_t).
Please note here running semanage fcontext command does not directly change the type to file2 as it is still labeled with the etc_t type only. You can view like below.
# ls -Z /etc/file2 -rw-r--r-- root root unconfined_u:object_r:etc_t:s0 /etc/file2
Above command adds following entry to /etc/selinux/targeted/contexts/files/file_contexts.local./etc/file2 unconfined_u:object_r:samba_share_t:s0
So we have to use the restorecon command to change the type.
# /sbin/restorecon -v /etc/file2 restorecon reset /etc/file2 context unconfined_u:object_r:etc_t:s0->system_u:object_r :samba_share_t:s0
Because semanage command added an entry to file.contexts.local for /etc/file2 then /sbin/restorecon command changes the type to samba_share_t.
# rm -i /etc/file2 Now remove file2. # /usr/sbin/semanage fcontext -d /etc/file2 Remove Context.
Remove the context added for /etc/file2.
When the context is removed, running restorecon changes the type to etc_t, rather than samba_share_t.
4. Changing a Directory’s Type
In this example we will see creating a new directory and changing that directory’s file type similar to be used by Apache HTTP Server.
# mkdir /www # ls -dZ /www drwxr-xr-x root root unconfined_u:object_r:default_t:s0 /www #/usr/sbin/semanage fcontext -a -t httpd_sys_content_t /www # ls -dZ /www drwxr-xr-x root root unconfined_u:object_r:default_t:s0 /www # /sbin/restorecon -v /www restorecon reset /web context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
So we can say by default any newly-created files and directories inherits SELinux type from the parent folders.
# /usr/sbin/semanage fcontext -d /www # /sbin/restorecon -v /www
This will restore the default SELinux context for www.
5. Changing a Directory and its Contents Types
Let us understand this using commands.
# mkdir /www #touch /www/file1 #touch /www/file2 #touch /www/file3 # ls -dZ /www drwxr-xr-x root root unconfined_u:object_r:default_t:s0 /www # ls -lZ /www -rw-r--r-- root root unconfined_u:object_r:default_t:s0 file1 -rw-r--r-- root root unconfined_u:object_r:default_t:s0 file2 -rw-r--r-- root root unconfined_u:object_r:default_t:s0 file3 #/usr/sbin/semanage fcontext -a -t httpd_sys_content_t "/www(/.*)?" # ls -dZ /www drwxr-xr-x root root unconfined_u:object_r:default_t:s0 /www # ls -lZ /www -rw-r--r-- root root unconfined_u:object_r:default_t:s0 file1 -rw-r--r-- root root unconfined_u:object_r:default_t:s0 file2 -rw-r--r-- root root unconfined_u:object_r:default_t:s0 file3 #/sbin/restorecon -R -v /www restorecon reset /www context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0 restorecon reset /www/file1 context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0 restorecon reset /www/file2 context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0 restorecon reset /web/file3 context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0 # /usr/sbin/semanage fcontext -d "/www(/.*)?"
6. How to Delete SELinux Context
Let us see adding and removing an SELinux context.
# /usr/sbin/semanage fcontext -a -t httpd_sys_content_t /testBelow gets added
/etc/selinux/targeted/contexts/files/file_contexts.local:/test system
_u:object_r:httpd_sys_content_t:s0How to Delete SELinux Context
# /usr/sbin/semanage fcontext -d file-name|directory-name # /usr/sbin/semanage fcontext -d /test # /usr/sbin/semanage fcontext -d "/www(/.*)?"
7. How to reset SELinux context recursively
Let us see how to reset the security context of the files recursively. Like other options related to recursively here also the -R option will be used. We will combine the v option. We can also use the -r option for the same.
This will reset the context or all the files in /var/www/html and files and folders in its subdirectories.
# restorecon -vR /var/www/html restorecon reset /var/www/html/graph.html context unconfined_u:obj ect_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0 # restorecon -vr /var/www/html
8. How to Save List of Files with Incorrect SELinux Context
This is handy if you are resetting the SELinux context for a large number of files and if you are interested to see only the changed file. We can use the -v option it will only display it on the screen.
Capture list of files with incorrect security context in an output file with -o option where o stands for the output file.
In the below example, we are storing a list of files that got affected by the restorecon command in the change.log file.
# restorecon -vR -o change.log /var/www/html restorecon reset /var/www/html/about.html context unconfined_u:objec t_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0 restorecon reset /var/www/html/contact.html context unconfined_u:obj ect_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0 restorecon reset /var/www/html/index.html context unconfined_u:objec t_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
As we have expected this change.log file will contain the list of affected filenames along with the full path as shown below.
# cat change.log /var/www/html/about.html /var/www/html/contact.html /var/www/html/index.html
9. How to restore SELinux context via input file
You can restore the security context of a list of files that you have in form of an input file. Consider all files and folders in /var/www/html directory have the wrong security context.
# ls -lZ -rw-rw-r--. root root unconfined_u:object_r:user_home_t:s0 about.html -rw-rw-r--. root root unconfined_u:object_r:user_home_t:s0 contact.html -rw-rw-r--. root root unconfined_u:object_r:user_home_t:s0 index.html
Create input.txt with one file with an absolute path.
# cat input.txt /var/www/html/about.html
-f option can be used to change the SELinux context for only about.html and data.html like below.
# restorecon -vf input.txt restorecon reset /var/www/html/about.html context unconfined_u:objec t_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
Validate using ls -lZ command.
# ls -lZ -rw-rw-r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 about.html -rw-rw-r--. root root unconfined_u:object_r:user_home_t:s0 contact.html -rw-rw-r--. root root unconfined_u:object_r:user_home_t:s0 index.html
10. You can ignore file which does not exist as well
Let’s see you have an input file like the above with the below entries.
# cat input.txt /var/www/html/about.html /var/www/html/meeting.html /var/www/html/directions.html
# restorecon -f input.txt restorecon: lstat(/var/www/html/meeting.html) failed:No such file or directory restorecon: lstat(/var/www/html/directions.html) failed: No such file or directory
you can use -i option which will help you not display error no such file or directory message where I stands for ignore.
# restorecon -if input.txt11. How to Restore SELinux Context – DRY RUN
Dry Run is really helpful before actually changing the SELinux context of the files, you can just view what files may potentially get changed by using the -n option. You can combine the v option for screen display.
It will perform all the action except not changing anything.
# restorecon -nv /var/www/html/* restorecon reset /var/www/html/about.html context unconfined_u:objec t_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0 restorecon reset /var/www/html/contact.html context unconfined_u:obj ect_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0 restorecon reset /var/www/html/index.html context unconfined_u:obj ect_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
To make sure you can validate using ls -lZ and you can realize no change is done.
# ls -lZ /var/www/html -rw-rw-r--.root:root unconfined_u:object_r:user_home_t:s0 about.html -rw-rw-r--.root:root unconfined_u:object_r:user_home_t:s0 contact.html -rw-rw-r--.root:root unconfined_u:object_r:user_home_t:s0 index.html
12. Monitor Restoring SELinux context change
-p option will be handy to monitor the progress of big tasks of SELinux context change. For example, if we are changing all files under /var directory.
# restorecon -pr /var 2k
This shows that 2k files are processed.
For example, if you are resetting the SELinux context for all the files in your operating system using the -p option it will show the percentage completed currently.
Let me add one bonus to it.
How to exclude directory during Restoring SELinux Context
You have the option to exclude a specific directory to be processed using the -e option where e means exclude.
Sample
# restorecon -e /var/www/technical -Rv /var/www/You can exclude directory as many as you want with each –e option separately like below and use an absolute path for the excluded directory.
# restorecon -e /var/www/technical –e /var/www/xyz -Rv /var/www/
That`s it about restorecon command in linux. We have gone through many examples. Please subscribe to our blog if you like our work and do share as much as you can in your social circle to help us to reach to intended readers.
