restorecond

Start the restorecond daemon

$ sudo restorecond

$ sudo restorecond -v

$ sudo restorecond -d

$ sudo restorecond -f restorecond_file

$ sudo systemctl status restorecond

$ sudo systemctl enable restorecond --now

restorecond [-dvhS] [-f configfile]

-d
    Run in debug mode, preventing the daemon from detaching from the controlling terminal. This is useful for troubleshooting.

-v
    Enable verbose output, providing more detailed information about the daemon's operations and actions.

-h
    Display a brief help message and exit.

-S
    Enable systemd socket activation. When this option is used, restorecond listens on sockets passed by systemd, allowing for on-demand daemon startup.

-f configfile
    Specify an alternate configuration file path instead of the default /etc/selinux/restorecond.conf.

The restorecond command launches a daemon that actively monitors specified file system paths for the creation of new files and directories. Its primary purpose is to ensure that these newly created entries automatically receive the correct SELinux security contexts as defined by the system's policy or custom rules.

Many applications and services create files dynamically. Without restorecond, these new files might inherit an incorrect or default context, potentially leading to SELinux access denials or security vulnerabilities. By continuously watching for changes using inotify mechanisms, restorecond invokes the underlying restorecon utility to apply the appropriate context based on rules specified in its configuration file, typically /etc/selinux/restorecond.conf. This ensures that the SELinux policy remains consistent even with dynamic content, enhancing overall system security and stability.

restorecond is effective only when SELinux is enabled and enforcing on the system. Incorrectly configured rules in /etc/selinux/restorecond.conf can lead to files receiving wrong contexts, potentially causing application failures or system instability. Over-monitoring very busy or extensive file system paths might introduce performance overhead. It primarily applies contexts based on the default file contexts; custom policy modules might require additional SELinux management tools.

The behavior of restorecond is primarily governed by its configuration file, typically located at /etc/selinux/restorecond.conf. This file contains rules that specify which file system paths to monitor and how to apply contexts to newly created files or directories within those paths. Rules can be defined to match specific file types or apply different contexts based on patterns, giving administrators fine-grained control over dynamic context assignment.

An SELinux context (or security context) is a label associated with every file, process, and port on an SELinux-enabled system. It comprises a user, role, type, and sensitivity (e.g., unconfined_u:object_r:httpd_sys_content_t:s0). restorecond ensures that new files are assigned the correct type component of this label, which dictates what actions processes are permitted to perform on those files, thereby enforcing mandatory access control policies.

On modern Linux distributions, restorecond is typically managed as a systemd service (e.g., restorecond.service). This allows for reliable startup during boot, restart on failure, and integration with systemd's socket activation capabilities (via the -S option), which can defer daemon startup until network requests or specific events occur, optimizing resource usage.

restorecond emerged as a crucial component of the SELinux ecosystem to address a specific challenge: ensuring proper security contexts for dynamically created files. While utilities like restorecon could apply contexts manually or during system re-labeling, a daemon was needed to continuously monitor and adjust contexts in real-time without user intervention. Its development reflects the ongoing effort to automate and simplify SELinux management, particularly in modern Linux environments where services frequently generate or modify content.

restorecon(8), selinux(8), setfiles(8), semanage(8)