Click on each book below to review & buy on Amazon.
As an Amazon Associate, I earn from qualifying purchases.
RHCSA - Manage Security: Restore Default File contexts
restorecon Command
The restorecon
command is used to restore the SELinux context of files and directories to their default values. When files or directories have their SELinux contexts modified, restorecon
can be used to reset them to their original state, ensuring proper security policies are enforced.
The restorecon
command takes either a file or directory as an argument, however you can recursively restore file context by using either the -r
or -R
flags. The -v
flag can also be used to display to screen the changes the restorecon
command makes.
/.autorelabel file
When SELinux is enabled, each file and directory on the system is assigned a security context that defines its access permissions. However, there may be situations where the existing file contexts are inconsistent or incorrect. In such cases, SELinux might deny access to files and cause disruptions in system functionality. The autorelabel feature allows you to automatically relabel all files and directories on the system to ensure consistent and correct security contexts, and this feature is activated when the /.autorelabel
file is created.
Restore File Contexts Exercise
The below exercises will get you restoring file contexts using both the restorecon
command and /.autorelabel
file methods.
The RHCSA objectives do not specify setting file contexts, however for the exercise you will use the chcon
command to create a scenario where the file contexts do not match the defaults. I discourage the use of this command in the real world as it makes changes to the file but not the underlying SELinux policy.
Restore the default file context for your users home directory:
First we need to give your home directory the wrong file context. Ensure you are logged in as a normal user account and not root:
chcon -t var_log_t $HOME
List the file context of your home directory:
ls -Zd $HOME
The output should show the var_log_t
context type set against your home directory:
unconfined_u:object_r:var_log_t:s0 /home/user1
Restore the default file context for the home directory:
restorecon -v $HOME
The output of this command shows the default file context was restored, which, as we restored the default context on a home directory, set the type back to user_home_t
:
Relabeled /home/user1 from unconfined_u:object_r:var_log_t:s0 to unconfined_u:object_r:user_home_dir_t:s0
Perform a system wide restore of file contexts:
Recursively set the wrong context to your users .ssh
directory. In this case you make an honest mistake of setting the context type to user_home_dir_t
:
chcon -Rt user_home_dir_t $HOME/.ssh
List the file context of your .ssh
directory files:
ls -Zd $HOME/.ssh $HOME/.ssh/*
The output should show the user_home_dir_t
context type set against your .ssh
directory and its files:
unconfined_u:object_r:user_home_dir_t:s0 /home/dtvlinux/.ssh
unconfined_u:object_r:user_home_dir_t:s0 /home/dtvlinux/.ssh/id_rsa
unconfined_u:object_r:user_home_dir_t:s0 /home/dtvlinux/.ssh/id_rsa.pub
unconfined_u:object_r:user_home_dir_t:s0 /home/dtvlinux/.ssh/known_hosts
touch the /.autorelabel
file so that on next boot the system restores the default file contexts:
sudo touch /.autorelabel
Reboot the system to kick of the restore/relabeling process:
This can take a long time depending on the number of files on your system.
sudo reboot
During the reboot you can see the relabel process taking place:
Following the reboot, list the .ssh
directory and files contexts again:
ls -Zd $HOME/.ssh $HOME/.ssh/*
The output should show the ssh_home_t
context type set against your .ssh
directory and its files:
unconfined_u:object_r:ssh_home_t:s0 /home/dtvlinux/.ssh
unconfined_u:object_r:ssh_home_t:s0 /home/dtvlinux/.ssh/id_rsa
unconfined_u:object_r:ssh_home_t:s0 /home/dtvlinux/.ssh/id_rsa.pub
unconfined_u:object_r:ssh_home_t:s0 /home/dtvlinux/.ssh/known_hosts
Support DTV Linux
Click on each book below to review & buy on Amazon. As an Amazon Associate, I earn from qualifying purchases.
NordVPN ®: Elevate your online privacy and security. Grab our Special Offer to safeguard your data on public Wi-Fi and secure your devices. I may earn a commission on purchases made through this link.