restorecon
Restore files' default SELinux security context
TLDR
View the current security context of a file or directory
Restore the security context of a file or directory
Restore the security context of a directory recursively, and show all changed labels
Restore the security context of a directory recursively, using all available threads, and show progress
Preview the label changes that would happen without applying them
SYNOPSIS
restorecon [options] pathname...
PARAMETERS
-n
Do not make any changes; just report what would be changed.
-v
Be verbose.
-f file
Read the list of files to be relabeled from file.
-e directory
Exclude directory from processing.
-F
Force relabeling even if the file context matches.
-i
Ignore missing files. Useful when restoring from a backup.
-r
Recursively operate on directories.
-R
Same as -r
-T
Only display files whose type is incorrect.
-C
Check if the file context is correct but don't change it.
-d
Use file capabilities to calculate context for the file.
-x
Display file context before and after the change.
-0
Read the list of files to be relabeled from standard input, separated by null characters.
-h
Display help message.
DESCRIPTION
The restorecon
command is a tool used in SELinux (Security-Enhanced Linux) systems to set or restore the security context of files. SELinux uses security contexts, which include user, role, type, and level, to enforce mandatory access control (MAC) policies. restorecon
ensures that files have the correct security context defined by the system's policy. It's essential for maintaining system security and preventing unauthorized access.
Typically, restorecon
reads its configuration from /etc/selinux/<policy>/contexts/files/
which define the desired security contexts for different file types and locations. When a file's security context deviates from this definition, restorecon
will modify it.
It is commonly used after file creation, modification, or system updates to ensure the new or modified files are appropriately labeled. Running restorecon
on a regular basis as part of a system maintenance routine can also help detect and correct any labeling errors that may have occurred.
CAVEATS
restorecon
requires root privileges to modify security contexts. Incorrect usage can lead to system instability or security breaches. Ensure that the targeted paths are correct and that you understand the implications of relabeling before executing the command.
COMMON USAGE EXAMPLES
To restore the security context of a single file:restorecon /path/to/file
To recursively restore the security context of a directory:restorecon -r /path/to/directory
To verbose output:restorecon -v /path/to/file
To only check if the file context is correct and don't change:restorecon -C /path/to/file
HISTORY
restorecon
was developed as part of the SELinux project to provide a mechanism for restoring the correct security contexts to files. Its initial development was closely tied to the introduction of SELinux into Linux distributions. As SELinux matured, restorecon
has become an integral part of system administration workflows for managing file security contexts.