5.6.2. Persistent Changes: semanage fcontext
The
semanage fcontext
command is used to change the SELinux context of files. When using targeted policy, changes are written to files located in the /etc/selinux/targeted/contexts/files/
directory:
- The
file_contexts
file specifies default contexts for many files, as well as contexts updated viasemanage fcontext
. - The
file_contexts.local
file stores contexts to newly created files and directories not found infile_contexts
.
Two utilities read these files. The
setfiles
utility is used when a file system is relabeled and the restorecon
utility restores the default SELinux contexts. This means that changes made by semanage fcontext
are persistent, even if the file system is relabeled. SELinux policy controls whether users are able to modify the SELinux context for any given file.
Quick Reference
To make SELinux context changes that survive a file system relabel:
- Run the
semanage fcontext -a options file-name|directory-name
command, remembering to use the full path to the file or directory. - Run the
restorecon -v file-name|directory-name
command to apply the context changes.
Procedure 5.7. Changing a File's or Directory 's Type
The following example demonstrates changing a file's type, and no other attributes of the SELinux context. This example works the same for directories, for instance if
file1
was a directory.
- As the Linux root user, run the
touch /etc/file1
command to create a new file. By default, newly-created files in the/etc/
directory are labeled with theetc_t
type:~]#
ls -Z /etc/file1
-rw-r--r-- root root unconfined_u:object_r:etc_t:s0 /etc/file1Use thels -dZ directory_name
command to list information about a directory. - As the Linux root user, run the
semanage fcontext -a -t samba_share_t /etc/file1
command to change thefile1
type tosamba_share_t
. The-a
option adds a new record, and the-t
option defines a type (samba_share_t
). Note that running this command does not directly change the type;file1
is still labeled with theetc_t
type:~]#
semanage fcontext -a -t samba_share_t /etc/file1
~]#ls -Z /etc/file1
-rw-r--r-- root root unconfined_u:object_r:etc_t:s0 /etc/file1Thesemanage fcontext -a -t samba_share_t /etc/file1
command adds the following entry to/etc/selinux/targeted/contexts/files/file_contexts.local
:/etc/file1 unconfined_u:object_r:samba_share_t:s0
- As the Linux root user, run the
restorecon -v /etc/file1
command to change the type. Because thesemanage
command added an entry tofile_contexts.local
for/etc/file1
, therestorecon
command changes the type tosamba_share_t
:~]#
restorecon -v /etc/file1
restorecon reset /etc/file1 context unconfined_u:object_r:etc_t:s0->system_u:object_r:samba_share_t:s0
Procedure 5.8. Changing a Directory and its Contents Types
The following example demonstrates creating a new directory, and changing the directory's file type (along with its contents) to a type used by Apache HTTP Server. The configuration in this example is used if you want Apache HTTP Server to use a different document root (instead of
/var/www/html/
):
- As the Linux root user, run the
mkdir /web
command to create a new directory, and then thetouch /web/file{1,2,3}
command to create 3 empty files (file1
,file2
, andfile3
). The/web/
directory and files in it are labeled with thedefault_t
type:~]#
ls -dZ /web
drwxr-xr-x root root unconfined_u:object_r:default_t:s0 /web ~]#ls -lZ /web
-rw-r--r-- root root unconfined_u:object_r:default_t:s0 file1 -rw-r--r-- root root unconfined_u:object_r:default_t:s0 file2 -rw-r--r-- root root unconfined_u:object_r:default_t:s0 file3 - As the Linux root user, run the
semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
command to change the type of the/web/
directory and the files in it, tohttpd_sys_content_t
. The-a
option adds a new record, and the-t
option defines a type (httpd_sys_content_t). The"/web(/.*)?"
regular expression causes thesemanage
command to apply changes to the/web/
directory, as well as the files in it. Note that running this command does not directly change the type;/web/
and files in it are still labeled with thedefault_t
type:~]#
ls -dZ /web
drwxr-xr-x root root unconfined_u:object_r:default_t:s0 /web ~]#ls -lZ /web
-rw-r--r-- root root unconfined_u:object_r:default_t:s0 file1 -rw-r--r-- root root unconfined_u:object_r:default_t:s0 file2 -rw-r--r-- root root unconfined_u:object_r:default_t:s0 file3Thesemanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
command adds the following entry to/etc/selinux/targeted/contexts/files/file_contexts.local
:/web(/.*)? system_u:object_r:httpd_sys_content_t:s0
- As the Linux root user, run the
restorecon -R -v /web
command to change the type of the/web/
directory, as well as all files in it. The-R
is for recursive, which means all files and directories under the/web/
directory are labeled with thehttpd_sys_content_t
type. Since thesemanage
command added an entry tofile.contexts.local
for/web(/.*)?
, therestorecon
command changes the types tohttpd_sys_content_t
:~]#
restorecon -R -v /web
restorecon reset /web context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0 restorecon reset /web/file2 context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0 restorecon reset /web/file3 context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0 restorecon reset /web/file1 context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0Note that by default, newly-created files and directories inherit the SELinux type of their parent directories.
Procedure 5.9. Deleting an added Context
The following example demonstrates adding and removing an SELinux context. If the context is part of a regular expression, for example,
/web(/.*)?
, use quotation marks around the regular expression:
~]# semanage fcontext -d "/web(/.*)?"
- To remove the context, as the Linux root user, run the
semanage fcontext -d file-name|directory-name
command, where file-name|directory-name is the first part infile_contexts.local
. The following is an example of a context infile_contexts.local
:/test system_u:object_r:httpd_sys_content_t:s0
With the first part being/test
. To prevent the/test/
directory from being labeled with thehttpd_sys_content_t
after runningrestorecon
, or after a file system relabel, run the following command as the Linux root user to delete the context fromfile_contexts.local
:~]#
semanage fcontext -d /test
- As the Linux root user, use the
restorecon
utility to restore the default SELinux context.
Refer to the semanage(8) manual page for further information about
semanage
.
Important
When changing the SELinux context with
semanage fcontext -a
, use the full path to the file or directory to avoid files being mislabeled after a file system relabel, or after the restorecon
command is run.