restorecond

Start the restorecond daemon

$ sudo restorecond

$ sudo restorecond -v

$ sudo restorecond -d

$ sudo restorecond -f [restorecond_file]

$ sudo systemctl status restorecond

$ sudo systemctl enable restorecond --now

restorecond [-d] [-f restorecondfile_] [-u] [-v]

restorecond is an SELinux daemon that monitors file creation events using inotify and automatically restores proper SELinux security contexts to newly created files. This is useful for directories where files are frequently created with incorrect contexts by applications that don't set contexts properly.
The daemon reads its configuration from /etc/selinux/restorecond.conf, which lists files and directories to watch. When a file matching the configuration is created or modified, restorecond applies the correct context based on SELinux policy.

-d

Debug mode; run in foreground with verbose output

Use alternate configuration file instead of /etc/selinux/restorecond.conf

Watch user home directory (~) for file creation

Verbose mode; show restoration events

Force mode; do not check device numbers

/etc/selinux/restorecond.conf

Lists file paths and directories to watch for creation events. One path per line; created files matching these paths have their SELinux contexts automatically restored.

Per-user watch list used when restorecond runs with the -u flag to monitor the user's home directory.

Requires SELinux to be enabled in enforcing or permissive mode. Must be run as root. Only watches paths specified in the configuration file. Uses inotify, so kernel must have inotify support compiled in.

Part of policycoreutils, the SELinux policy core utilities package developed by Red Hat. Created to address the issue of applications creating files with incorrect security contexts, which could cause access denials under SELinux.

restorecon(8), semanage-fcontext(8), semanage(8)