restorecon

Restore the security context of a file

Supplementary instructions

restorecon command is used to restore SELinux file attributes, that is, restore the security context of the file.

grammar

restorecon [-iFnrRv] [-e excludedir ] [-o filename ] [-f filename | pathname...]

Options

-i: Ignore files that do not exist.
-f: infilename The file to be processed is recorded in the file infilename.
-e:directory exclude directory.
-R/-r: Process directories recursively.
-n: Do not change file labels.
-o/outfilename: Save the file list to outfilename in case the file is incorrect.
-v: Display the process on the screen.
-F: Forces restoration of file security context.

Example

Assume that Apache is installed on CentOS and the default home directory of the web page is /var/www/html. We often encounter this problem. We create a web page file in another directory and then use mv to move it to the default web page directory /var /www/html, but this file cannot be opened in the browser. This is probably because the SELinux configuration information of this file inherits the original directory, which is different from the /var/www/html directory. Use When mv is moved, the SELinux configuration information is also moved together, resulting in the page being unable to be opened. Please see the following example for details:

Using CentOS as an example, if apache is not installed by default, ensure network connection and use the following command to install it.

[root@jsdig.com ~]# yum install httpd
  # We create a new html file in the root home directory
[root@jsdig.com ~]# pwd
/root

[root@jsdig.com ~]# vi index.html

# Enter any text, save and exit
welcome to www.jsdig.com

# Move this file mv to the default directory of the web page
[root@jsdig.com ~]# mv index.html /var/www/html/

#
# At this time, we used the firefox browser to enter 127.0.0.1/index.html and found that it could not be opened.
# Check the SELinux log file and find the following error message. It is not difficult to see from this error message,
# The process httpd is blocked by SELinux when accessing index.html in the home directory of the web page. The reason is that the SELinux configuration information is incorrect.
# The correct SELinux configuration information should be the part after scontext=,
# The SELinux configuration information of the index.html file is the part after tcontext=.
# It is not difficult to see from the third paragraph "admin_home_t" of tcontext= that the SELinux configuration information of this file is the root user's home directory.
#
type=AVC msg=audit(1378974214.610:465): avc: denied { open } for pid=2359 comm="httpd" path="/var/www/html/index.html" dev="sda1" ino=1317685 scontext =system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file

It can also be seen by using ls -Z that the SELinux information of the file and directory does not match.

[root@jsdig.com html]# ls -Z /var/www/html/
.... unconfined_u:object_r:admin_home_t:s0 index.html

[root@jsdig.com html]# ls -Zd /var/www/html/
.... system_u:object_r:httpd_sys_content_t:s0 /var/www/html/

Use restorecon to restore the SELinux configuration information of all files in the home directory of the web page (if the target is a directory, you can add the -R parameter recursively)

[root@jsdig.com html]# restorecon -R /var/www/html/