5.7.2. Persistent Changes: semanage fcontext
The /usr/sbin/semanage fcontext
command changes the SELinux context for files. When using targeted policy, changes made with this command are added to the /etc/selinux/targeted/contexts/files/file_contexts
file if the changes are to files that exists in file_contexts
, or are added to file_contexts.local
for new files and directories, such as creating a /web/
directory. setfiles
, which is used when a file system is relabeled, and /sbin/restorecon
, which restores the default SELinux contexts, read these files. This means that changes made by /usr/sbin/semanage fcontext
are persistent, even if the file system is relabeled. SELinux policy controls whether users are able to modify the SELinux context for any given file.
To make SELinux context changes that survive a file system relabel:
-
Run the /usr/sbin/semanage fcontext -a options
file-name
|directory-name
command, remembering to use the full path to the file or directory.
-
Run the /sbin/restorecon -v file-name
|directory-name
command to apply the context changes.
The following example demonstrates changing a file's type, and no other attributes of the SELinux context:
-
As the Linux root user, run the touch /etc/file1
command to create a new file. By default, newly-created files in the /etc/
directory are labeled with the etc_t
type:
# ls -Z /etc/file1
-rw-r--r-- root root unconfined_u:object_r:etc_t:s0 /etc/file1
-
As the Linux root user, run the /usr/sbin/semanage fcontext -a -t samba_share_t /etc/file1
command to change the file1
type to samba_share_t
. The -a
option adds a new record, and the -t
option defines a type (samba_share_t
). Note: running this command does not directly change the type - file1
is still labeled with the etc_t
type:
# /usr/sbin/semanage fcontext -a -t samba_share_t /etc/file1
# ls -Z /etc/file1
-rw-r--r-- root root unconfined_u:object_r:etc_t:s0 /etc/file1
The /usr/sbin/semanage fcontext -a -t samba_share_t /etc/file1
command adds the following entry to /etc/selinux/targeted/contexts/files/file_contexts.local
:
/etc/file1 unconfined_u:object_r:samba_share_t:s0
-
As the Linux root user, run the /sbin/restorecon -v /etc/file1
command to change the type. Since the semanage
command added an entry to file.contexts.local
for /etc/file1
, the /sbin/restorecon
command changes the type to samba_share_t
:
# /sbin/restorecon -v /etc/file1
restorecon reset /etc/file1 context unconfined_u:object_r:etc_t:s0->system_u:object_r:samba_share_t:s0
-
As the Linux root user, run the rm -i /etc/file1
command to remove file1
.
-
As the Linux root user, run the /usr/sbin/semanage fcontext -d /etc/file1
command to remove the context added for /etc/file1
. When the context is removed, running restorecon
changes the type to etc_t
, rather than samba_share_t
.
The following example demonstrates creating a new directory and changing that directory's file type, to a type used by Apache HTTP Server:
-
As the Linux root user, run the mkdir /web
command to create a new directory. This directory is labeled with the default_t
type:
# ls -dZ /web
drwxr-xr-x root root unconfined_u:object_r:default_t:s0 /web
The ls
-d
option makes ls
list information about a directory, rather than its contents, and the -Z
option makes ls
display the SELinux context (in this example, unconfined_u:object_r:default_t:s0
).
-
As the Linux root user, run the /usr/sbin/semanage fcontext -a -t httpd_sys_content_t /web
command to change the /web/
type to httpd_sys_content_t
. The -a
option adds a new record, and the -t
option defines a type (httpd_sys_content_t
). Note: running this command does not directly change the type - /web/
is still labeled with the default_t
type:
# /usr/sbin/semanage fcontext -a -t httpd_sys_content_t /web
# ls -dZ /web
drwxr-xr-x root root unconfined_u:object_r:default_t:s0 /web
The /usr/sbin/semanage fcontext -a -t httpd_sys_content_t /web
command adds the following entry to /etc/selinux/targeted/contexts/files/file_contexts.local
:
/web unconfined_u:object_r:httpd_sys_content_t:s0
-
As the Linux root user, run the /sbin/restorecon -v /web
command to change the type. Since the semanage
command added an entry to file.contexts.local
for /web
, the /sbin/restorecon
command changes the type to httpd_sys_content_t
:
# /sbin/restorecon -v /web
restorecon reset /web context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
By default, newly-created files and directories inherit the SELinux type of their parent folders. When using this example, and before removing the SELinux context added for /web/
, files and directories created in the /web/
directory are labeled with the httpd_sys_content_t
type.
-
As the Linux root user, run the /usr/sbin/semanage fcontext -d /web
command to remove the context added for /web/
.
-
As the Linux root user, run the /sbin/restorecon -v /web
command to restore the default SELinux context.
The following example demonstrates creating a new directory, and changing the directory's file type (along with its contents) to a type used by Apache HTTP Server. The configuration in this example is used if you want Apache HTTP Server to use a different document root (instead of /var/www/html/
):
-
As the Linux root user, run the mkdir /web
command to create a new directory, and then the touch /web/file{1,2,3}
command to create 3 empty files (file1
, file2
, and file3
). The /web/
directory and files in it are labeled with the default_t
type:
# ls -dZ /web
drwxr-xr-x root root unconfined_u:object_r:default_t:s0 /web
# ls -lZ /web
-rw-r--r-- root root unconfined_u:object_r:default_t:s0 file1
-rw-r--r-- root root unconfined_u:object_r:default_t:s0 file2
-rw-r--r-- root root unconfined_u:object_r:default_t:s0 file3
-
As the Linux root user, run the /usr/sbin/semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
command to change the type of the /web/
directory and the files in it, to httpd_sys_content_t
. The -a
option adds a new record, and the -t
option defines a type (httpd_sys_content_t). The "/web(/.*)?"
regular expression causes the semanage
command to apply changes to the /web/
directory, as well as the files in it. Note: running this command does not directly change the type - /web/
and files in it are still labeled with the default_t
type:
# ls -dZ /web
drwxr-xr-x root root unconfined_u:object_r:default_t:s0 /web
# ls -lZ /web
-rw-r--r-- root root unconfined_u:object_r:default_t:s0 file1
-rw-r--r-- root root unconfined_u:object_r:default_t:s0 file2
-rw-r--r-- root root unconfined_u:object_r:default_t:s0 file3
The /usr/sbin/semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
command adds the following entry to /etc/selinux/targeted/contexts/files/file_contexts.local
:
/web(/.*)? system_u:object_r:httpd_sys_content_t:s0
-
As the Linux root user, run the /sbin/restorecon -R -v /web
command to change the type of the /web/
directory, as well as all files in it. The -R
is for recursive, which means all files and directories under the /web/
directory are labeled with the httpd_sys_content_t
type. Since the semanage
command added an entry to file.contexts.local
for /web(/.*)?
, the /sbin/restorecon
command changes the types to httpd_sys_content_t
:
# /sbin/restorecon -R -v /web
restorecon reset /web context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /web/file2 context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /web/file3 context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /web/file1 context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
By default, newly-created files and directories inherit the SELinux type of their parents. In this example, files and directories created in the /web/
directory will be labeled with the httpd_sys_content_t
type.
-
As the Linux root user, run the /usr/sbin/semanage fcontext -d "/web(/.*)?"
command to remove the context added for "/web(/.*)?"
.
-
As the Linux root user, run the /sbin/restorecon -R -v /web
command to restore the default SELinux contexts.
The following example demonstrates adding and removing an SELinux context:
-
As the Linux root user, run the /usr/sbin/semanage fcontext -a -t httpd_sys_content_t /test
command. The /test/
directory does not have to exist. This command adds the following context to /etc/selinux/targeted/contexts/files/file_contexts.local
:
/test system_u:object_r:httpd_sys_content_t:s0
-
To remove the context, as the Linux root user, run the /usr/sbin/semanage fcontext -d file-name
|directory-name
command, where file-name
|directory-name
is the first part in file_contexts.local
. The following is an example of a context in file_contexts.local
:
/test system_u:object_r:httpd_sys_content_t:s0
With the first part being /test
. To prevent the /test/
directory from being labeled with the httpd_sys_content_t
after running /sbin/restorecon
, or after a file system relabel, run the following command as the Linux root user to delete the context from file_contexts.local
:
/usr/sbin/semanage fcontext -d /test
If the context is part of a regular expression, for example, /web(/.*)?
, use quotation marks around the regular expression:
/usr/sbin/semanage fcontext -d "/web(/.*)?"
Refer to the semanage(8) manual page for further information about /usr/sbin/semanage
.
When changing the SELinux context with /usr/sbin/semanage fcontext -a
, use the full path to the file or directory to avoid files being mislabeled after a file system relabel, or after the /sbin/restorecon
command is run.