Tag: -Z

CHECKING THE DEFAULT SELINUX CONTEXT

Use the matchpathcon command to check if files and directories have the correct SELinux context. From the matchpathcon(8) manual page: “matchpathcon queries the system policy and outputs the default security context associated with the file path”. The following example demonstrates using the matchpathcon command to verify that files in /var/www/html/ directory are labeled correctly:
  1. As the Linux root user, run the touch /var/www/html/file{1,2,3} command to create three files (file1file2, and file3). These files inherit the httpd_sys_content_t type from the /var/www/html/ directory:
    ~]# touch /var/www/html/file{1,2,3} ~]# ls -Z /var/www/html/ -rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file1 -rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file2 -rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file3
  2. As the Linux root user, run the chcon -t samba_share_t /var/www/html/file1command to change the file1 type to samba_share_t. Note that the Apache HTTP Server cannot read files or directories labeled with the samba_share_t type.
  3. The matchpathcon -V option compares the current SELinux context to the correct, default context in SELinux policy. Run the matchpathcon -V /var/www/html/*command to check all files in the /var/www/html/ directory:
    ~]$ matchpathcon -V /var/www/html/* /var/www/html/file1 has context unconfined_u:object_r:samba_share_t:s0, should be system_u:object_r:httpd_sys_content_t:s0 /var/www/html/file2 verified. /var/www/html/file3 verified.
The following output from the matchpathcon command explains that file1 is labeled with the samba_share_t type, but should be labeled with the httpd_sys_content_ttype:
/var/www/html/file1 has context unconfined_u:object_r:samba_share_t:s0, should be system_u:object_r:httpd_sys_content_t:s0
To resolve the label problem and allow the Apache HTTP Server access to file1, as the Linux root user, run the restorecon -v /var/www/html/file1 command:
~]# restorecon -v /var/www/html/file1 restorecon reset /var/www/html/file1 context unconfined_u:object_r:samba_share_t:s0->system_u:object_r:httpd_sys_content_t:s0