1. Restore SELinux Context of a File
In the below example, index.html file has “user_home_t” in the SELinux context for the type. This is wrong, and apache will not be able to serve this file. You’ll see permission denied in the error_log for the apache with this security context.
Note: The Z (uppercase Z) option in the above ls command will display the SELinux context for a particular file.
When we are using the restorecon command, we really don’t have to know the correct original security context for the file. restorecon will figure that out for us automatically.
The following example will restore the security context of index.html to the proper value. As you see below, it has reset the type portion of the SELinux context to “httpd_sys_content_t”. This is the correct type. Now, apache will be able to serve this file without any error.
2. Display Security Context Change on Screen
By default, when you are executing restorecon command, it will not tell you whether it changed the file’s security linux context. v stands for verbose. The -v option will display on the screen the previous security context and the newly changed selinux context as shown below.
3. Use wildcard to Process Multiple Objects
This will affect all the files ending with .html extension in the current directory
This will affect all the files under the current directory.
This will affect all the files under /var/www/html directory.
This will affect all the files ending with either .htm (or) .html (or) .htm with any other single character at the end.
4. Process Files and Directories Recursively
Can also reset the security context of the files recursively. Use -R option as shown below. Here we are combining R with v option. This will reset the context or all the files in /var/www/html and under its subdirectories.
You can also use lower-case r for recursive. The following is exactly same as the above command.
5. Save List of Files with Incorrect SELinux Context
When you are resetting the SELinux context for a large set of files, if you are interested to see only the changed file, we can use the -v option as previously explained. But, this will only display it on the screen.If you want to capture the list of files with incorrect security context in an output file, use the -o option. o stands for output file.In the following example, we are storing the list of files that got affected by the restorecon command in the changed.log file.
As we expect this changed.log file will contain the list of affected filenames along with full path as shown below.
6. Restore Context Based on Input File
Restore the security context of a list of files that you have from an input file.In the following, under /var/www/html directory, all these files currently has wrong security context.
Create a input.txt file as shown below, which will have only two files. Here should give specify the full-path of the filename including the directory.
To specify this input file in the restorecon, use the -f option as shown below. This will change the SELinux context for only about.html and data.html as shown below.
Use ls -lZ command to verify that only those two files security context is changed.
Note: Instead of specifying input.txt, you can also specify – which will ask for list of input files from the standard input.
7. Ignore Files that Doesn’t Exist
Below we have created an input.txt which contains list of several files. We’ll use this list to reset the security context.
But, as shown below, this will display the error message when a particular file in the above list is not present.
To avoid this, you can use -i option. i stands for ignore. As you see below, the following command with the -i option doesn’t give any of the above error message about the missing file. This will simply ignore those missing files and move-on with the rest of the files in the input.txt.
8. Perform only Dry-Run of Restore SELinux Context
Instead of really changing the SELinux context of the files, you can just view what files might potentially get changed by using -n option.The -n option is like a dry-run.When you use this, it will go through all the motions of executing the restorecon command, but will not really do anything.As you see below, we’ve executed the restorecon with -n option on all the files under /var/www/html directory.
Eventhough the above restorecon output shows that the SELinux context for several files are changed, it didn’t really do anything, as we used the -n option.When you do the ls -lZ as shown below, you can see that the SELinux context was not really changed.
9. Display Current Progress during Big Operation
When you are restoring the SELinux context of several files, the command might take sometime. If you want to know what the command is currently doing, you can -p option.The -p option will display the number of files it has processed so far in 1000 file increment. p stands for progress.
This shows that as of now, 2k files (2000 files) are processed.
10. Exclude Directories to be Processed
Exclude the directory to be processed using -e option. e stands for Exclude.In the following example, we are processing all the files under /var/www/html directory, but excluding the files from /var/www/html/sales sub-directory.
Please note that you should use the full-path of the directory in the -e option. If not, you’ll get the following error message.
You can also exclude multiple directories by providing multiple -e option as shown below.The following will exclude both sales and marketing directory from processing.