{"id":25388,"date":"2017-10-15T17:59:03","date_gmt":"2017-10-15T12:29:03","guid":{"rendered":"https:\/\/www.wikitechy.com\/technology\/?p=25388"},"modified":"2017-10-15T17:59:03","modified_gmt":"2017-10-15T12:29:03","slug":"10-linux-restorecon-command-examples-restore-selinux-context","status":"publish","type":"post","link":"https:\/\/www.wikitechy.com\/technology\/10-linux-restorecon-command-examples-restore-selinux-context\/","title":{"rendered":"10 Linux restorecon Command Examples to Restore SELinux Context"},"content":{"rendered":"

Restorecon stands for “Restore SELinux Context”.restorecon command will reset the SELinux security context for files and directories to its default values. This will only reset the type attribute of SELinux context.<\/p>\n

On your Linux server, having proper SELinux security context for files and directories is very important.When you add your custom file to a directory that is already managed by SELinux policy, and if your custom file doesn\u2019t have the proper SELinux context, then you will not get the expected result.<\/p>\n

In this tutorial, we\u2019ll explain how to use restorecon command with some practical examples.<\/p>\n

 <\/p>\n

1. Restore SELinux Context of a File<\/h3>\n

In the following example, index.html file has \u201cuser_home_t\u201d in the SELinux context for the type. This is wrong, and apache will not be able to serve this file. You\u2019ll see permission denied in the error_log for the apache with this security context.<\/p>\n

 <\/p>\n

# cd \/var\/www\/html\r\n\r\n# ls -lZ index.html \r\n-rw-rw-r--. centos centos unconfined_u:object_r:user_home_t<\/strong>:s0 index.html\r\n<\/pre>\n
Note: The Z (uppercase Z) option in the above ls command will display the SELinux context for a particular file.<\/p>\n
The following example will restore the security context of index.html to the proper value. As you see below, it has reset the type portion of the SELinux context to \u201chttpd_sys_content_t\u201d. This is the correct type. Now, apache will be able to serve this file without any error.<\/p>\n
# restorecon index.html\r\n\r\n# ls -lZ index.html \r\n-rw-rw-r--. centos centos unconfined_u:object_r:httpd_sys_content_t<\/strong>:s0 index.html\r\n<\/pre>\n
2. Display Security Context Change on Screen<\/h3>\n
By default, when you are executing restorecon command, it will not tell you whether it changed the file\u2019s security linux context.<\/p>\n
v stands for verbose. The -v option will display on the screen the previous security context and the newly changed selinux context as shown below.<\/p>\n
# restorecon -v index.html \r\nrestorecon reset \/var\/www\/html\/index.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0\r\n<\/pre>\n
3. Use wildcard to Process Multiple Objects<\/h3>\n
Just like any other Linux command, you can also use wildcards for filenames as shown below.<\/p>\n
This will affect all the files ending with .html extension in the current directory<\/p>\n
restorecon -v *.html\r\n<\/pre>\n
This will affect all the files under the current directory.<\/p>\n
restorecon -v *\r\n<\/pre>\n
This will affect all the files under \/var\/www\/html directory.<\/p>\n
restorecon -v \/var\/www\/html\/*\r\n<\/pre>\n
This will affect all the files ending with either .htm (or) .html (or) .htm with any other single character at the end.<\/p>\n
restorecon -v *.htm?\r\n<\/pre>\n
[ad type=”banner”]<\/h3>\n
4. Process Files and Directories Recursively<\/h3>\n
You can also reset the security context of the files recursively. Use -R option as shown below. Here we are combining R with v option.<\/p>\n
This will reset the context or all the files in \/var\/www\/html and under its subdirectories.<\/p>\n
# restorecon -vR \/var\/www\/html\r\nrestorecon reset \/var\/www\/html\/sales\/graph.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0\r\n<\/pre>\n
You can also use lower-case r for recursive. The following is exactly same as the above command.<\/p>\n
# restorecon -vr \/var\/www\/html\r\n<\/pre>\n
5. Save List of Files with Incorrect SELinux Context<\/h3>\n
When you are resetting the SELinux context for a large set of files, if you are interested to see only the changed file, we can use the -v option as previously explained. But, this will only display it on the screen.<\/p>\n
If you want to capture the list of files with incorrect security context in an output file, use the -o option.<\/p>\n
o stands for output file.<\/p>\n
In the following example, we are storing the list of files that got affected by the restorecon command in the changed.log file.<\/p>\n
# restorecon -vR -o changed.log \/var\/www\/html\r\nrestorecon reset \/var\/www\/html\/about.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0\r\nrestorecon reset \/var\/www\/html\/contact.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0\r\nrestorecon reset \/var\/www\/html\/data.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0\r\nrestorecon reset \/var\/www\/html\/index.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0\r\nrestorecon reset \/var\/www\/html\/sales context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0\r\nrestorecon reset \/var\/www\/html\/sales\/graph.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0\r\n<\/pre>\n
As we expect this changed.log file will contain the list of affected filenames along with full path as shown below.<\/p>\n
# cat changed.log\r\n\/var\/www\/html\/about.html\r\n\/var\/www\/html\/contact.html\r\n\/var\/www\/html\/data.html\r\n\/var\/www\/html\/index.html\r\n\/var\/www\/html\/sales\r\n\/var\/www\/html\/sales\/graph.html\r\n<\/pre>\n
6. Restore Context Based on Input File<\/h3>\n
You can also restore the security context of a list of files that you have from an input file.<\/p>\n
In the following, under \/var\/www\/html directory, all these files currently has wrong security context.<\/p>\n
# ls -lZ\r\n-rw-rw-r--. centos centos unconfined_u:object_r:user_home_t:s0 about.html\r\n-rw-rw-r--. centos centos unconfined_u:object_r:user_home_t:s0 contact.html\r\n-rw-rw-r--. centos centos unconfined_u:object_r:user_home_t:s0 data.html\r\n-rw-rw-r--. centos centos unconfined_u:object_r:user_home_t:s0 index.html\r\ndrwxrwxr-x. centos centos unconfined_u:object_r:user_home_t:s0 sales\r\n<\/pre>\n
Create a input.txt file as shown below, which will have only two files. Here should give specify the full-path of the filename including the directory.<\/p>\n
# cat input.txt\r\n\/var\/www\/html\/about.html\r\n\/var\/www\/html\/data.html\r\n<\/pre>\n
To specify this input file in the restorecon, use the -f option as shown below. This will change the SELinux context for only about.html and data.html as shown below.<\/p>\n
# restorecon -vf input.txt \r\nrestorecon reset \/var\/www\/html\/about.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0\r\nrestorecon reset \/var\/www\/html\/data.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0\r\n<\/pre>\n
Use ls -lZ command to verify that only those two files security context is changed.<\/p>\n
# ls -lZ\r\n-rw-rw-r--. centos centos unconfined_u:object_r:httpd_sys_content_t:s0 about.html\r\n-rw-rw-r--. centos centos unconfined_u:object_r:user_home_t:s0 contact.html\r\n-rw-rw-r--. centos centos unconfined_u:object_r:httpd_sys_content_t:s0 data.html\r\n-rw-rw-r--. centos centos unconfined_u:object_r:user_home_t:s0 index.html\r\n-rw-r--r--. root   root   unconfined_u:object_r:httpd_sys_content_t:s0 input.txt\r\ndrwxrwxr-x. centos centos unconfined_u:object_r:user_home_t:s0 sales\r\n<\/pre>\n
Note: Instead of specifying input.txt, you can also specify \u2013 which will ask for list of input files from the standard input.<\/p>\n[ad type=”banner”]\n
7. Ignore Files that Doesn\u2019t Exist<\/h3>\n
In the following example, we have created an input.txt which contains list of several files. We\u2019ll use this list to reset the security context.<\/p>\n
# cat input.txt \r\n\/var\/www\/html\/about.html\r\n\/var\/www\/html\/meeting.html\r\n\/var\/www\/html\/directions.html\r\n\/var\/www\/html\/data.html\r\n<\/pre>\n
But, as shown below, this will display the error message when a particular file in the above list is not present.<\/p>\n
# restorecon -f input.txt\r\nrestorecon:  lstat(\/var\/www\/html\/meeting.html) failed:  No such file or directory\r\nrestorecon:  lstat(\/var\/www\/html\/directions.html) failed:  No such file or directory\r\n<\/pre>\n
To avoid this, you can use -i option. i stands for ignore. As you see below, the following command with the -i option doesn\u2019t give any of the above error message about the missing file. This will simply ignore those missing files and move-on with the rest of the files in the input.txt.<\/p>\n
# restorecon -if input.txt\r\n#\r\n<\/pre>\n
8. Perform only Dry-Run of Restore SELinux Context<\/h3>\n
Instead of really changing the SELinux context of the files, you can just view what files might potentially get changed by using -n option.<\/p>\n
The -n option is like a dry-run.<\/p>\n
When you use this, it will go through all the motions of executing the restorecon command, but will not really do anything.<\/p>\n
As you see below, we\u2019ve executed the restorecon with -n option on all the files under \/var\/www\/html directory.<\/p>\n
# restorecon -nv \/var\/www\/html\/*\r\nrestorecon reset \/var\/www\/html\/about.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0\r\nrestorecon reset \/var\/www\/html\/contact.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0\r\nrestorecon reset \/var\/www\/html\/data.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0\r\nrestorecon reset \/var\/www\/html\/index.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0\r\nrestorecon reset \/var\/www\/html\/sales context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0\r\n<\/pre>\n
Eventhough the above restorecon output shows that the SELinux context for several files are changed, it didn\u2019t really do anything, as we used the -n option.<\/p>\n
When you do the ls -lZ as shown below, you can see that the SELinux context was not really changed.<\/p>\n
# ls -lZ \/var\/www\/html\r\n-rw-rw-r--. centos centos unconfined_u:object_r:user_home_t:s0 about.html\r\n-rw-rw-r--. centos centos unconfined_u:object_r:user_home_t:s0 contact.html\r\n-rw-rw-r--. centos centos unconfined_u:object_r:user_home_t:s0 data.html\r\n-rw-rw-r--. centos centos unconfined_u:object_r:user_home_t:s0 index.html\r\ndrwxrwxr-x. centos centos unconfined_u:object_r:user_home_t:s0 sales\r\n<\/pre>\n
9. Display Current Progress during Big Operation<\/h3>\n
When you are restoring the SELinux context of several files, the command might take sometime. If you want to know what the command is currently doing, you can -p option.<\/p>\n
The -p option will display the number of files it has processed so far in 1000 file increment. p stands for progress.<\/p>\n
As you see below, here I\u2019m resetting the SELinux context of all the files under \/var directory recursively with -p option.<\/p>\n
This shows that as of now, 2k files (2000 files) are processed.<\/p>\n
# restorecon -pr \/var\r\n2k\r\n<\/pre>\n
Note: If you are resetting the SELinux context for all the files in your operating system using the -p option, it will show the percentage complete currently.<\/p>\n[ad type=”banner”]\n
10. Exclude Directories to be Processed<\/h3>\n
You can also exclude the directory to be processed using -e option. e stands for Exclude.<\/p>\n
In the following example, we are processing all the files under \/var\/www\/html directory, but excluding the files from \/var\/www\/html\/sales sub-directory.<\/p>\n
# restorecon -e \/var\/www\/html\/sales -Rv \/var\/www\/html\r\nrestorecon reset \/var\/www\/html\/about.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0\r\nrestorecon reset \/var\/www\/html\/contact.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0\r\nrestorecon reset \/var\/www\/html\/data.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0\r\nrestorecon reset \/var\/www\/html\/index.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0\r\n<\/pre>\n
Please note that you should use the full-path of the directory in the -e option. If not, you\u2019ll get the following error message.<\/p>\n
# restorecon -e sales -Rv \/var\/www\/html\r\nFull path required for exclude: sales.\r\n<\/pre>\n
You can also exclude multiple directories by providing multiple -e option as shown below.<\/p>\n
The following will exclude both sales and marketing directory from processing.<\/p>\n
restorecon -e \/var\/www\/html\/sales -e \/var\/www\/html\/marketing -Rv \/var\/www\/html<\/pre>\n[ad type=”banner”]\n","protected":false},"excerpt":{"rendered":"
Restorecon stands for “Restore SELinux Context” – LINUX – restorecon command will reset the SELinux security context for files and directories.<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1,1699],"tags":[73017,73029,73023,73016,73025,73018,73026,73019,73014,73024,73021,73027,73015,73022,73028,73020],"class_list":["post-25388","post","type-post","status-publish","format-standard","hentry","category-coding","category-linux","tag-centos-restorecon-command-examples","tag-chcon-command","tag-chcon-example","tag-learn-selinux","tag-man-restorecon","tag-redhat-restorecon-command","tag-restorecon-not-working","tag-restorecon-type-attribute","tag-selinux-administration","tag-selinux-change-unconfined_u-to-system_u","tag-selinux-commands","tag-selinux-context-types","tag-selinux-examples","tag-selinux-restorecon","tag-semanage-fcontext","tag-ubuntu-restorecon-command"],"_links":{"self":[{"href":"https:\/\/www.wikitechy.com\/technology\/wp-json\/wp\/v2\/posts\/25388","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.wikitechy.com\/technology\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.wikitechy.com\/technology\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.wikitechy.com\/technology\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.wikitechy.com\/technology\/wp-json\/wp\/v2\/comments?post=25388"}],"version-history":[{"count":0,"href":"https:\/\/www.wikitechy.com\/technology\/wp-json\/wp\/v2\/posts\/25388\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.wikitechy.com\/technology\/wp-json\/wp\/v2\/media?parent=25388"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.wikitechy.com\/technology\/wp-json\/wp\/v2\/categories?post=25388"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.wikitechy.com\/technology\/wp-json\/wp\/v2\/tags?post=25388"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}