How to change selinux context of a file or directory

SELinux Context

In Linux processes and files are labeled with a SELinux context that contains additional information, such as a selinux user, role, type, and optionally, a level.

How to Check selinux context in linux.

Check the selinux context of a file and directory.
  • To check the context of a file the syntax is

#ls –Z  <filename>

#ls –Z  File1
 
[root@linuxelearn
~]# ls
anaconda-ks.cfg              file3                        nrpe-2.14.tar.gz
Desktop                      file.hlink                   nrpe-3.0
dir1                         file.softl                   nrpe-3.0.tar.gz
Documents                    install.log                  Pictures
Downloads                    install.log.syslog           Public
epel-release-6-8.noarch.rpm  Music                        rahul
file1                         nagios-3.2.3                 rahull
[root@linuxelearn
~]# ls -Z file1
-rw-r–r–.
root root system_u:object_r:admin_home_t:s0 file1
[root@linuxelearn
~]#
  • To Check the Context of a directory the syntax is

 

           #ls
–ldZ  <Directory Name>
           #ls
–ldZ  dir1
 
[root@linuxelearn~]# ls -ldZ dir1
drwxrwsrwt.
root rjgroup unconfined_u:object_r:admin_home_t:s0 dir1
[root@linuxelearn~]#

Checking the selinux context of a Process

  • To check the context of a process running in
    the system, the syntax is

 

#ps –efZ | grep <process name>
#ps –efz  | grep ftp
 
[root@linuxelearn ~]# ps -efZ | grep ftp
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
root 2262 2176  0 22:44 pts/1 00:00:00
grep ftp
[root@linuxelearn ~]#

Changing the selinux context of a file or directory

  • To Change the context of the file use followingsteps

Check the existing context of the file by

#ls –lZ <filename>
 
[root@linuxelearn~]# ls -Z file1
-rw-r–r–.
root root system_u:object_r:admin_home_t:s0 file1
[root@linuxelearn~]#
Observe that the type is admin_home_t, Change it to public_content_t,
so that it will be available for all users.
  • To change the context of a file or directory use
    following syntax

 

#chcon –t <arguments> <file/directory name>
#chcon –t public_content_t file1
 
[root@linuxelearn
~]# chcon -t public_content_t file1
[root@linuxelearn
~]# ls -Z file1
-rw-r–r–.
root root system_u:object_r:public_content_t:s0
file1
[root@linuxelearn~]#
  • To change the context for a directory and its
    contents
  • Check the context of both directory and its contents

 

[root@linuxelearn~]# ls -ldZ dir1
drwxrwsrwt.
root rjgroup unconfined_u:object_r:admin_home_t:s0 dir1
[root@linuxelearn~]# ls -lZ dir1
-rw-r–r–.
root rjgroup unconfined_u:object_r:admin_home_t:s0 file1
-rw-r–r–.
root rjgroup unconfined_u:object_r:admin_home_t:s0 file2
-rw-r–r–.
root rjgroup unconfined_u:object_r:admin_home_t:s0 file3
-rw-r–r–.
root rjgroup unconfined_u:object_r:admin_home_t:s0 file4
-rw-r–r–.
root rjgroup unconfined_u:object_r:admin_home_t:s0 file5
[root@linuxelearn~]#
To change the context for a directory and its
contents use the following syntax
#chcon –R –t <argument> <dir name>
#chcon –R –t public_content_t dir1
 
[root@linuxelearn~]# chcon -R -t public_content_t dir1
[root@linuxelearn~]# ls -ldZ dir1
drwxrwsrwt.
root rjgroup unconfined_u:object_r:public_content_t:s0 dir1
[root@linuxelearn~]# ls -lZ dir1
-rw-r–r–.
root rjgroup unconfined_u:object_r:public_content_t:s0 file1
-rw-r–r–.
root rjgroup unconfined_u:object_r:public_content_t:s0 file2
-rw-r–r–.
root rjgroup unconfined_u:object_r:public_content_t:s0 file3
-rw-r–r–.
root rjgroup unconfined_u:object_r:public_content_t:s0 file4
-rw-r–r–.
root rjgroup unconfined_u:object_r:public_content_t:s0 file5
 [root@linuxelearn ~]#
How
to restore back the modified selinux context to its default value?
 
To restore the modified / changed selinux context of
a file to its default form, the syntax for this
#restorecon
–v <filename>
#restorecon
–v file1
 
[root@linuxelearn~]# ls -Z file1
-rw-r–r–.
root root system_u:object_r:public_content_t:s0
file1
[root@linuxelearn~]# restorecon -v file1
restorecon
reset /root/file1 context
system_u:object_r:public_content_t:s0->system_u:object_r:admin_home_t:s0
[root@linuxelearn~]# ls -Z file1
-rw-r–r–.
root root system_u:object_r:admin_home_t:s0
file1
[root@linuxelearn~]#
To restore back the selinux context of a directory
with its contents, the syntax is
#restorecon
–Rv <dir name>
#restorecon
–Rv dir1
 
[root@linuxelearn
~]# ls -ldZ dir1
drwxrwsrwt.
root rjgroup unconfined_u:object_r:public_content_t:s0 dir1
[root@linuxelearn
~]# ls -lZ dir1
-rw-r–r–.
root rjgroup unconfined_u:object_r:public_content_t:s0 file1
-rw-r–r–.
root rjgroup unconfined_u:object_r:public_content_t:s0 file2
-rw-r–r–.
root rjgroup unconfined_u:object_r:public_content_t:s0 file3
-rw-r–r–.
root rjgroup unconfined_u:object_r:public_content_t:s0 file4
-rw-r–r–.
root rjgroup unconfined_u:object_r:public_content_t:s0 file5
[root@linuxelearn
~]# restorecon -Rv dir1
restorecon
reset /root/dir1 context
unconfined_u:object_r:public_content_t:s0->system_u:object_r:admin_home_t:s0
restorecon
reset /root/dir1/file4 context
unconfined_u:object_r:public_content_t:s0->system_u:object_r:admin_home_t:s0
restorecon
reset /root/dir1/file5 context
unconfined_u:object_r:public_content_t:s0->system_u:object_r:admin_home_t:s0
restorecon
reset /root/dir1/file3 context
unconfined_u:object_r:public_content_t:s0->system_u:object_r:admin_home_t:s0
restorecon
reset /root/dir1/file1 context
unconfined_u:object_r:public_content_t:s0->system_u:object_r:admin_home_t:s0
restorecon
reset /root/dir1/file2 context
unconfined_u:object_r:public_content_t:s0->system_u:object_r:admin_home_t:s0
[root@linuxelearn
~]# ls -ldZ dir1
drwxrwsrwt.
root rjgroup system_u:object_r:admin_home_t:s0 dir1
[root@linuxelearn
~]# ls -lZ dir1
-rw-r–r–.
root rjgroup system_u:object_r:admin_home_t:s0 file1
-rw-r–r–.
root rjgroup system_u:object_r:admin_home_t:s0 file2
-rw-r–r–.
root rjgroup system_u:object_r:admin_home_t:s0 file3
-rw-r–r–.
root rjgroup system_u:object_r:admin_home_t:s0 file4
-rw-r–r–.
root rjgroup system_u:object_r:admin_home_t:s0 file5
[root@linuxelearn
~]#
Useful
Note :
For restoring the context of only the dir except its contents do not add “R” in the linux command.
If you Like post then share and comment please And if you have any suggestion for me do comment .

 

You Like to read this also…

4 thoughts on “How to change selinux context of a file or directory”

  1. Sometimes it is necessary to relabel the complete filesystem although this should only be necessary when enabling SELinux after it has been disabled or when changing the SELinux policy from the default targeted policy to strict.

Leave a Reply

Your email address will not be published. Required fields are marked *