5.7.2. Persistent Changes: semanage fcontext

5.7.2. Persistent Changes: semanage fcontext

The /usr/sbin/semanage fcontext command changes the SELinux context for files. When using targeted policy, changes made with this command are added to the /etc/selinux/targeted/contexts/files/file_contexts file if the changes are to files that exists in file_contexts, or are added to file_contexts.local for new files and directories, such as creating a /web/ directory. setfiles, which is used when a file system is relabeled, and /sbin/restorecon, which restores the default SELinux contexts, read these files. This means that changes made by /usr/sbin/semanage fcontext are persistent, even if the file system is relabeled. SELinux policy controls whether users are able to modify the SELinux context for any given file.

Quick Reference
To make SELinux context changes that survive a file system relabel:

  1. Run the /usr/sbin/semanage fcontext -a options file-name|directory-name command, remembering to use the full path to the file or directory.

  2. Run the /sbin/restorecon -v file-name|directory-name command to apply the context changes.

Changing a File's Type
The following example demonstrates changing a file's type, and no other attributes of the SELinux context:

  1. As the Linux root user, run the touch /etc/file1 command to create a new file. By default, newly-created files in the /etc/ directory are labeled with the etc_t type: 

    # ls -Z /etc/file1
-rw-r--r--  root root unconfined_u:object_r:etc_t:s0       /etc/file1

  2. As the Linux root user, run the /usr/sbin/semanage fcontext -a -t samba_share_t /etc/file1 command to change the file1 type to samba_share_t. The -a option adds a new record, and the -t option defines a type (samba_share_t). Note: running this command does not directly change the type - file1 is still labeled with the etc_t type: 

    # /usr/sbin/semanage fcontext -a -t samba_share_t /etc/file1
# ls -Z /etc/file1
-rw-r--r--  root root unconfined_u:object_r:etc_t:s0       /etc/file1

    The /usr/sbin/semanage fcontext -a -t samba_share_t /etc/file1 command adds the following entry to /etc/selinux/targeted/contexts/files/file_contexts.local: 

    /etc/file1    unconfined_u:object_r:samba_share_t:s0

  3. As the Linux root user, run the /sbin/restorecon -v /etc/file1 command to change the type. Since the semanage command added an entry to file.contexts.local for /etc/file1, the /sbin/restorecon command changes the type to samba_share_t: 

    # /sbin/restorecon -v /etc/file1
restorecon reset /etc/file1 context unconfined_u:object_r:etc_t:s0->system_u:object_r:samba_share_t:s0

  4. As the Linux root user, run the rm -i /etc/file1 command to remove file1.

  5. As the Linux root user, run the /usr/sbin/semanage fcontext -d /etc/file1 command to remove the context added for /etc/file1. When the context is removed, running restorecon changes the type to etc_t, rather than samba_share_t.

Changing a Directory's Type
The following example demonstrates creating a new directory and changing that directory's file type, to a type used by Apache HTTP Server:

  1. As the Linux root user, run the mkdir /web command to create a new directory. This directory is labeled with the default_t type: 

    # ls -dZ /web
drwxr-xr-x  root root unconfined_u:object_r:default_t:s0 /web

    The ls -d option makes ls list information about a directory, rather than its contents, and the -Z option makes ls display the SELinux context (in this example, unconfined_u:object_r:default_t:s0).

  2. As the Linux root user, run the /usr/sbin/semanage fcontext -a -t httpd_sys_content_t /web command to change the /web/ type to httpd_sys_content_t. The -a option adds a new record, and the -t option defines a type (httpd_sys_content_t). Note: running this command does not directly change the type - /web/ is still labeled with the default_t type: 

    # /usr/sbin/semanage fcontext -a -t httpd_sys_content_t /web
# ls -dZ /web
drwxr-xr-x  root root unconfined_u:object_r:default_t:s0   /web

    The /usr/sbin/semanage fcontext -a -t httpd_sys_content_t /web command adds the following entry to /etc/selinux/targeted/contexts/files/file_contexts.local: 

    /web    unconfined_u:object_r:httpd_sys_content_t:s0

  3. As the Linux root user, run the /sbin/restorecon -v /web command to change the type. Since the semanage command added an entry to file.contexts.local for /web, the /sbin/restorecon command changes the type to httpd_sys_content_t: 

    # /sbin/restorecon -v /web
restorecon reset /web context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0

    By default, newly-created files and directories inherit the SELinux type of their parent folders. When using this example, and before removing the SELinux context added for /web/, files and directories created in the /web/ directory are labeled with the httpd_sys_content_t type.

  4. As the Linux root user, run the /usr/sbin/semanage fcontext -d /web command to remove the context added for /web/.

  5. As the Linux root user, run the /sbin/restorecon -v /web command to restore the default SELinux context.

Changing a Directory and its Contents Types
The following example demonstrates creating a new directory, and changing the directory's file type (along with its contents) to a type used by Apache HTTP Server. The configuration in this example is used if you want Apache HTTP Server to use a different document root (instead of /var/www/html/):

  1. As the Linux root user, run the mkdir /web command to create a new directory, and then the touch /web/file{1,2,3} command to create 3 empty files (file1, file2, and file3). The /web/ directory and files in it are labeled with the default_t type: 

    # ls -dZ /web
drwxr-xr-x  root root unconfined_u:object_r:default_t:s0 /web
# ls -lZ /web
-rw-r--r--  root root unconfined_u:object_r:default_t:s0 file1
-rw-r--r--  root root unconfined_u:object_r:default_t:s0 file2
-rw-r--r--  root root unconfined_u:object_r:default_t:s0 file3

  2. As the Linux root user, run the /usr/sbin/semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?" command to change the type of the /web/ directory and the files in it, to httpd_sys_content_t. The -a option adds a new record, and the -t option defines a type (httpd_sys_content_t). The "/web(/.*)?" regular expression causes the semanage command to apply changes to the /web/ directory, as well as the files in it. Note: running this command does not directly change the type - /web/ and files in it are still labeled with the default_t type: 

    # ls -dZ /web
drwxr-xr-x  root root unconfined_u:object_r:default_t:s0 /web
# ls -lZ /web
-rw-r--r--  root root unconfined_u:object_r:default_t:s0 file1
-rw-r--r--  root root unconfined_u:object_r:default_t:s0 file2
-rw-r--r--  root root unconfined_u:object_r:default_t:s0 file3

    The /usr/sbin/semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?" adds the following entry to /etc/selinux/targeted/contexts/files/file_contexts.local: 

    /web(/.*)?    system_u:object_r:httpd_sys_content_t:s0

  3. As the Linux root user, run the /sbin/restorecon -R -v /web command to change the type of the /web/ directory, as well as all files in it. The -R is for recursive, which means all files and directories under the /web/ directory are labeled with the httpd_sys_content_t type. Since the semanage command added an entry to file.contexts.local for /web(/.*)?, the /sbin/restorecon command changes the types to httpd_sys_content_t: 

    # /sbin/restorecon -R -v /web
restorecon reset /web context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /web/file2 context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /web/file3 context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /web/file1 context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0

    By default, newly-created files and directories inherit the SELinux type of their parents. In this example, files and directories created in the /web/ directory will be labeled with the httpd_sys_content_t type.

  4. As the Linux root user, run the /usr/sbin/semanage fcontext -d "/web(/.*)?" command to remove the context added for "/web(/.*)?".

  5. As the Linux root user, run the /sbin/restorecon -R -v /web command to restore the default SELinux contexts.

Deleting an added Context
The following example demonstrates adding and removing an SELinux context:

  1. As the Linux root user, run the /usr/sbin/semanage fcontext -a -t httpd_sys_content_t /test command. The /test/ directory does not have to exist. This command adds the following context to /etc/selinux/targeted/contexts/files/file_contexts.local: 

    /test    system_u:object_r:httpd_sys_content_t:s0

  2. To remove the context, as the Linux root user, run the /usr/sbin/semanage fcontext -d file-name|directory-name command, where file-name|directory-name is the first part in file_contexts.local. The following is an example of a context in file_contexts.local: 

    /test    system_u:object_r:httpd_sys_content_t:s0

    With the first part being /test. To prevent the /test/ directory from being labeled with the httpd_sys_content_t after running /sbin/restorecon, or after a file system relabel, run the following command as the Linux root user to delete the context from file_contexts.local:

    /usr/sbin/semanage fcontext -d /test

If the context is part of a regular expression, for example, /web(/.*)?, use quotation marks around the regular expression:

/usr/sbin/semanage fcontext -d "/web(/.*)?"

Refer to the semanage(8) manual page for further information about /usr/sbin/semanage.

Important

When changing the SELinux context with /usr/sbin/semanage fcontext -a, use the full path to the file or directory to avoid files being mislabeled after a file system relabel, or after the /sbin/restorecon command is run.