Bootstrap FreeKB - SELinux - Change context of a file or directory (chcon restorecon semanage)
SELinux - Change context of a file or directory (chcon restorecon semanage)

Updated:   |  SELinux articles

The ls -Z command can be used to view the SELinux context of a file or directory. In this example, the SELinux context of files in the /var/www/html directory are displayed. The SELinux context of index.php is unconfined_u:object_r:httpd_sys_content_t:s0. 

~]# ls -Z /var/www/html
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0  index.php

 

The Selinux context has 4 parts - SELinux user : role : type : level. Following is the context of index.php in this example.

 


Create new directory

When a new directory is created, the default SELinux context of the directory is determined by the rules of the /etc/selinux/targeted/contexts/files/file_contexts files. For example, when the /home/JohnDoe/.ssh directory is created, the directory will have ssh_home_t context.

~]# mkdir /home/JohnDoe/.ssh
~]# ls -Z /home/JohnDoe
drwxrwxr-x. JohnDoe JohnDoe unconfined_u:object_r:ssh_home_t:s0 .ssh

 

The context of the .ssh directory is ssh_home_t because the /etc/selinux/targeted/contexts/files/file_contexts.homedirs file contain the following rule, which sets the .ssh directory to ssh_home_t.

/home/[^/]+/\.ssh(/.*)? unconfined_t:object_r:ssh_home_t:s0

 


Create new file

When a new file is created, the file will inherit the SELinux type of the parent directory. For example, if the /srv/samba/share directory has type samba_share_t, files created in the /srv/samba/share directory will also have type samba_share_t.


Copy or move file

Problems can occur when copying or moving files. For example, a file created in the /etc directory will probably have type etc_t. If the file is copied or moved to /srv/samba/share, the file may retain type etc_t. SELinux will detect that the file does not have the appropriate type for Samba. When attempting to interact with the file, some error will be displayed. There are a few ways to address this challenge.

 


Temporarily change SELinux context

The chcon command can be used to tempoarily change the SELinux context of a file or directory. If the system is rebooted, or if the restorecon command is used on the file or directory, the SELinux context will be returned to it's prior value.

For example, to temporarily update the context of index.html to httpd_sys_content_t.

~]# chcon -t httpd_sys_content_t index.html

 

To temporarily update the context of the /var/www/html directory to httpd_sys_content_t.

~]# chcon -R -t httpd_sys_content_t /var/www/html

 


Restore SELinux context

The restorecon command can be used to permanently restore a file or directory to it's default SELinux context.

 


Permanently change SELinux context

The most common way to permanently change the SELinux context of a file is to set the files parent directory to have the preferred context, and to then use the restorecon command so that the file inherits the SELinux context of the parent directory. 

However, if there is a need for a file to permanently have a context that is different from the files parent directory, the semanage fcontext command can be used. For example, let's say /usr/local/foo.txt has the following SELinux context.

~]# ls -lZ /usr/local/foo.txt
-rw-rw-r--. JohnDoe JohnDoe unconfined_u:object_r:ssh_home_t:s0 

 

Here is how you would change the SELinux type of /usr/local/foo.txt to be usr_t.

  • The -a option is used to add a new file context (fcontext) for the first time
  • The -m option is used if you have already added a file context and want to modify the file context
~]# semanage fcontext -a -t usr_t /usr/local/foo.txt

 

If you want to change the SELinux user context, such as from unconfined_t to system_t, you will need to include both the SELinux user context and the SELinux type context.

~]# semanage fcontext -a -s system_u -t usr_t /usr/local/foo.txt

 

At this point, the SELinux context of /usr/local/foo.txt will NOT be changed.

~]# ls -lZ /usr/local/foo.txt
-rw-rw-r--. JohnDoe JohnDoe unconfined_u:object_r:ssh_home_t:s0 

 

The restorecon command must be used to apply the change.

~]# restorecon -vF /usr/local/foo.txt

 

Now the SELinux context of /usr/local/foo.txt should be changed.

~]# ls -lZ /usr/local/foo.txt
-rw-rw-r--. JohnDoe JohnDoe system_u:object_r:usr_t:s0 

 




Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee



Comments


May 19 2021 by pissedofflinuxwanabeadmin
Doesn't work as advertised on RHEL 8. selinux is a nightmare. Set permissive, reboot and never lose another night sleep over it.

May 20 2021 by Jeremy (moderator)
Yep, I'm also finding differences in Red Hat 8 distro s that are making life oh so fun. When I have a moment I'll get this article updated for RHEL 8.

June 22 2022 by Kevin
Hello, I am trying to get httpd to write to /var/log/httpd; however, it is throwing SELinux errors: SELinux is preventing systemd from read access on the file /var/log/httpd/httpd.pid The context: system_u:object_r:httpd_log_t:s0 I believe the user context should be unconfined_u, and I have attempted to change using: semanage fcontext -a -s unconfined_u -t httpd_log_t httpd This gives the following: ValueError: File context for httpd already defined At this point I cannot start Apache without disabling SELinux. I'm certainly not an selinux expert. Hoping you might have some ideas. Thank you!

June 23 2022 by Jeremy (moderator)
Kevin - When I have issues like you describe with a file, the first thing I try to do is to ensure and set the SELinux of the parent directory and then use restorecon and try again.

Add a Comment


Please enter 21e111 in the box below so that we can be sure you are a human.