LinuxCommandLibrary

restorecon

Restore files' default SELinux security context

TLDR

View the current security context of a file or directory

$ ls [[-dlZ|--directory -l --context]] [path/to/file_or_directory]
copy

Restore the security context of a file or directory
$ restorecon [path/to/file_or_directory]
copy

Restore the security context of a directory recursively, and show all changed labels
$ restorecon -R -v [path/to/directory]
copy

Restore the security context of a directory recursively, using all available threads, and show progress
$ restorecon -R -T [0] -p [path/to/directory]
copy

Preview the label changes that would happen without applying them
$ restorecon -R -n -v [path/to/directory]
copy

SYNOPSIS

restorecon [options] pathname...

PARAMETERS

-n
    Do not make any changes; just report what would be changed.

-v
    Be verbose.

-f file
    Read the list of files to be relabeled from file.

-e directory
    Exclude directory from processing.

-F
    Force relabeling even if the file context matches.

-i
    Ignore missing files. Useful when restoring from a backup.

-r
    Recursively operate on directories.

-R
    Same as -r

-T
    Only display files whose type is incorrect.

-C
    Check if the file context is correct but don't change it.

-d
    Use file capabilities to calculate context for the file.

-x
    Display file context before and after the change.

-0
    Read the list of files to be relabeled from standard input, separated by null characters.

-h
    Display help message.

DESCRIPTION

The restorecon command is a tool used in SELinux (Security-Enhanced Linux) systems to set or restore the security context of files. SELinux uses security contexts, which include user, role, type, and level, to enforce mandatory access control (MAC) policies. restorecon ensures that files have the correct security context defined by the system's policy. It's essential for maintaining system security and preventing unauthorized access.

Typically, restorecon reads its configuration from /etc/selinux/<policy>/contexts/files/ which define the desired security contexts for different file types and locations. When a file's security context deviates from this definition, restorecon will modify it.

It is commonly used after file creation, modification, or system updates to ensure the new or modified files are appropriately labeled. Running restorecon on a regular basis as part of a system maintenance routine can also help detect and correct any labeling errors that may have occurred.

CAVEATS

restorecon requires root privileges to modify security contexts. Incorrect usage can lead to system instability or security breaches. Ensure that the targeted paths are correct and that you understand the implications of relabeling before executing the command.

COMMON USAGE EXAMPLES

To restore the security context of a single file:
restorecon /path/to/file

To recursively restore the security context of a directory:
restorecon -r /path/to/directory

To verbose output:
restorecon -v /path/to/file

To only check if the file context is correct and don't change:
restorecon -C /path/to/file

HISTORY

restorecon was developed as part of the SELinux project to provide a mechanism for restoring the correct security contexts to files. Its initial development was closely tied to the introduction of SELinux into Linux distributions. As SELinux matured, restorecon has become an integral part of system administration workflows for managing file security contexts.

SEE ALSO

chcon(1), semanage(8), setfiles(8)

Copied to clipboard