Search

5.6.2. Persistent Changes: semanage fcontext

download PDF
The semanage fcontext command is used to change the SELinux context of files. When using targeted policy, changes are written to files located in the /etc/selinux/targeted/contexts/files/ directory:
  • The file_contexts file specifies default contexts for many files, as well as contexts updated via semanage fcontext.
  • The file_contexts.local file stores contexts to newly created files and directories not found in file_contexts.
Two utilities read these files. The setfiles utility is used when a file system is relabeled and the restorecon utility restores the default SELinux contexts. This means that changes made by semanage fcontext are persistent, even if the file system is relabeled. SELinux policy controls whether users are able to modify the SELinux context for any given file.

Quick Reference

To make SELinux context changes that survive a file system relabel:
  1. Run the semanage fcontext -a options file-name|directory-name command, remembering to use the full path to the file or directory.
  2. Run the restorecon -v file-name|directory-name command to apply the context changes.

Procedure 5.7. Changing a File's or Directory 's Type

The following example demonstrates changing a file's type, and no other attributes of the SELinux context. This example works the same for directories, for instance if file1 was a directory.
  1. As the Linux root user, run the touch /etc/file1 command to create a new file. By default, newly-created files in the /etc/ directory are labeled with the etc_t type:
    ~]# ls -Z /etc/file1
    -rw-r--r--  root root unconfined_u:object_r:etc_t:s0       /etc/file1
    
    Use the ls -dZ directory_name command to list information about a directory.
  2. As the Linux root user, run the semanage fcontext -a -t samba_share_t /etc/file1 command to change the file1 type to samba_share_t. The -a option adds a new record, and the -t option defines a type (samba_share_t). Note that running this command does not directly change the type; file1 is still labeled with the etc_t type:
    ~]# semanage fcontext -a -t samba_share_t /etc/file1
    ~]# ls -Z /etc/file1 
    -rw-r--r--  root root unconfined_u:object_r:etc_t:s0       /etc/file1
    
    The semanage fcontext -a -t samba_share_t /etc/file1 command adds the following entry to /etc/selinux/targeted/contexts/files/file_contexts.local:
    /etc/file1    unconfined_u:object_r:samba_share_t:s0
    
  3. As the Linux root user, run the restorecon -v /etc/file1 command to change the type. Because the semanage command added an entry to file_contexts.local for /etc/file1, the restorecon command changes the type to samba_share_t:
    ~]# restorecon -v /etc/file1
    restorecon reset /etc/file1 context unconfined_u:object_r:etc_t:s0->system_u:object_r:samba_share_t:s0
    

Procedure 5.8. Changing a Directory and its Contents Types

The following example demonstrates creating a new directory, and changing the directory's file type (along with its contents) to a type used by Apache HTTP Server. The configuration in this example is used if you want Apache HTTP Server to use a different document root (instead of /var/www/html/):
  1. As the Linux root user, run the mkdir /web command to create a new directory, and then the touch /web/file{1,2,3} command to create 3 empty files (file1, file2, and file3). The /web/ directory and files in it are labeled with the default_t type:
    ~]# ls -dZ /web
    drwxr-xr-x  root root unconfined_u:object_r:default_t:s0 /web
    ~]# ls -lZ /web 
    -rw-r--r--  root root unconfined_u:object_r:default_t:s0 file1
    -rw-r--r--  root root unconfined_u:object_r:default_t:s0 file2
    -rw-r--r--  root root unconfined_u:object_r:default_t:s0 file3
    
  2. As the Linux root user, run the semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?" command to change the type of the /web/ directory and the files in it, to httpd_sys_content_t. The -a option adds a new record, and the -t option defines a type (httpd_sys_content_t). The "/web(/.*)?" regular expression causes the semanage command to apply changes to the /web/ directory, as well as the files in it. Note that running this command does not directly change the type; /web/ and files in it are still labeled with the default_t type:
    ~]# ls -dZ /web
    drwxr-xr-x  root root unconfined_u:object_r:default_t:s0 /web
    ~]# ls -lZ /web 
    -rw-r--r--  root root unconfined_u:object_r:default_t:s0 file1
    -rw-r--r--  root root unconfined_u:object_r:default_t:s0 file2
    -rw-r--r--  root root unconfined_u:object_r:default_t:s0 file3
    
    The semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?" command adds the following entry to /etc/selinux/targeted/contexts/files/file_contexts.local:
    /web(/.*)?    system_u:object_r:httpd_sys_content_t:s0
    
  3. As the Linux root user, run the restorecon -R -v /web command to change the type of the /web/ directory, as well as all files in it. The -R is for recursive, which means all files and directories under the /web/ directory are labeled with the httpd_sys_content_t type. Since the semanage command added an entry to file.contexts.local for /web(/.*)?, the restorecon command changes the types to httpd_sys_content_t:
    ~]# restorecon -R -v /web
    restorecon reset /web context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
    restorecon reset /web/file2 context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
    restorecon reset /web/file3 context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
    restorecon reset /web/file1 context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
    
    Note that by default, newly-created files and directories inherit the SELinux type of their parent directories.

Procedure 5.9. Deleting an added Context

The following example demonstrates adding and removing an SELinux context. If the context is part of a regular expression, for example, /web(/.*)?, use quotation marks around the regular expression:
~]# semanage fcontext -d "/web(/.*)?"
  1. To remove the context, as the Linux root user, run the semanage fcontext -d file-name|directory-name command, where file-name|directory-name is the first part in file_contexts.local. The following is an example of a context in file_contexts.local:
    /test    system_u:object_r:httpd_sys_content_t:s0
    
    With the first part being /test. To prevent the /test/ directory from being labeled with the httpd_sys_content_t after running restorecon, or after a file system relabel, run the following command as the Linux root user to delete the context from file_contexts.local:
    ~]# semanage fcontext -d /test
  2. As the Linux root user, use the restorecon utility to restore the default SELinux context.
Refer to the semanage(8) manual page for further information about semanage.

Important

When changing the SELinux context with semanage fcontext -a, use the full path to the file or directory to avoid files being mislabeled after a file system relabel, or after the restorecon command is run.
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.