restorecon

View the current security context of a file or directory

$ ls [[-dlZ|--directory -l --context]] [path/to/file_or_directory]

$ restorecon [path/to/file_or_directory]

$ restorecon -R -v [path/to/directory]

$ restorecon -R -T [0] -p [path/to/directory]

$ restorecon -R -n -v [path/to/directory]

restorecon [OPTIONS] FILE...
restorecon [OPTIONS] -R DIRECTORY...

-R, -r
    Recursive operation.
Recursively walk through specified directories.

-v
    Verbose output.
Show changes being made.

-n
    No-op mode (dry run).
Show what would be restored without actually changing contexts.

-F, -f
    Force context reset.
Force a reset of the security context to the default, even if the current context is not unknown or incorrect. This can be used to re-apply the policy.

-i
    Ignore errors.
Continue processing other files even if errors occur on some.

-p
    Preserve modification time.
Do not update the modification time of files if their context is restored.

-c
    Do not create new files.
When used with -R, prevents restorecon from attempting to create new files or directories.

-P
    Disable parent process tracking.
Disables the parent process tracking, which can be useful for performance in very large operations.

-e EXCLUDE_REGEX, --exclude=EXCLUDE_REGEX
    Exclude files/directories.
Exclude files that match the regular expression. Can be specified multiple times.

-L, --local
    Local filesystems only.
Do not descend into directories on other filesystems.

-m, --map
    Map unknown file contexts.
Map unknown file types (e.g., those from specific applications) to known ones, based on the policy.

-s, --silent
    Silent mode.
Suppress output unless an error occurs.

-T TARGET_TYPE, --target-file-type=TARGET_TYPE
    Target file type.
Restore only files that have the specified file type.

-u, --user
    Update user context.
Only restore the user portion of the security context.

-g, --role
    Update role context.
Only restore the role portion of the security context.

-t, --type
    Update type context.
Only restore the type portion of the security context.

-S, --skip-base-relabels
    Skip base relabels.
Only relabel if a file is already labeled with the SELinux type of its parent. (Less common use).

-W, --relabel-device-nodes
    Relabel device nodes.
Relabel device nodes if their context does not match what the kernel expects.

-D, --remove-current-contexts
    Remove current contexts.
Remove the current context of files, forcing a full relabel from policy. (Use with caution).

restorecon is a utility used to restore the default SELinux security contexts of files and directories. SELinux (Security-Enhanced Linux) provides a mandatory access control (MAC) mechanism, and each file, directory, and process on an SELinux-enabled system has a security context. This context determines what actions are permitted or denied. When files are created, moved, or restored from backups, they might end up with incorrect or outdated SELinux contexts.

restorecon reads the system's SELinux policy and the file_contexts database to determine the correct context for a given path. It then applies this context, ensuring that files and directories have the appropriate labels as defined by the policy, which is crucial for system security and proper application functioning. It's often used after system upgrades, file transfers, or when troubleshooting SELinux permission issues.

Performance Impact: Running restorecon recursively on large filesystems (like /) can be very time-consuming and resource-intensive, especially on systems with many files. It's often better to target specific directories.

Incorrect Policy: restorecon relies on the installed SELinux policy and its file_contexts configuration. If these are incorrect or outdated, restorecon might apply wrong contexts, potentially leading to new access denied errors.

Misuse: Indiscriminate use of restorecon without understanding its implications can sometimes break applications that rely on specific, non-default contexts. Always verify changes using -n (dry run) first.

Interaction with semanage fcontext: Any custom file context rules defined via semanage fcontext will be honored by restorecon, as they update the policy's file_contexts.

Kernel vs. Userspace: The command primarily handles the userspace context of files. Sometimes, contexts might differ between kernel and userspace, requiring a reboot for full consistency, especially for root filesystem or kernel-managed devices.

restorecon primarily uses the file_contexts file (or its compiled binary form within the SELinux policy) to determine the correct security context for files and directories. This file contains regular expressions and their corresponding SELinux contexts. When a file is processed, restorecon matches its path against these rules to find the appropriate label.

On systems with SELinux, a file named /.autorelabel can be created in the root directory. Upon the next reboot, the system's init scripts (often using fixfiles) will detect this file and perform a full file system relabel, which involves extensively calling restorecon for all files. This is a common way to apply widespread context changes or fix a severely mislabeled system.

When new files are created, the kernel assigns a default context based on the creating process's context and the parent directory's context. restorecon then ensures these newly created files conform to the file_contexts policy rules, especially if the initial kernel-assigned context is not the desired final context.

restorecon is an integral part of the SELinux userspace tools, which have been developed alongside the SELinux kernel modules since the early 2000s, primarily driven by the National Security Agency (NSA) and later adopted by various Linux distributions. It fills a critical need for maintaining file system integrity within the SELinux security model by ensuring that files always carry their correct security labels as defined by policy. Its development has focused on efficiency and robustness in handling large file systems and complex policy rules.

setcon(1), chcon(1), semanage(8), fixfiles(8), selinux(8), getfattr(1)