Contents
What is SELinux Restorecon?
This manual page describes the restorecon program. This program is primarily used to set the security context (extended attributes) on one or more files. It can be run at any time to correct errors, to add support for new policy, or with the -n option it can just check whether the file contexts are all as you expect.
What is an SELinux context?
The SELinux context contains additional information such as SELinux user, role, type, and level. Access control decisions on processes, Linux users, and files are based on this context information.
Where are SELinux contexts stored?
The SELinux file contexts are stored in the “root” directory. To access this directory, you must have root user privileges. In other words, you must run this command along with the “sudo” keyword, just as we did.
How to change SELinux context in restorecon command?
Here should give specify the full-path of the filename including the directory. To specify this input file in the restorecon, use the -f option as shown below. This will change the SELinux context for only about.html and data.html as shown below. Use ls -lZ command to verify that only those two files security context is changed.
When do I need to run restorecon in Linux?
It can be run at any time to correct errors, to add support for new policy, or with the -n option it can just check whether the file contexts are all as you expect. If a file object does not have a context, restorecon will write the default context to the file object’s extended attributes.
What does restorecon do if a file does not have a context?
If a file object does not have a context, restorecon will write the default context to the file object’s extended attributes. If a file object has a context, restorecon will only modify the type portion of the security context. The -F option will force a replacement of the entire context.
How to restore SELinux to the full path?
In the following example, we are processing all the files under /var/www/html directory, but excluding the files from /var/www/html/sales sub-directory. Please note that you should use the full-path of the directory in the -e option.