Skip to content

Click on each book below to review & buy on Amazon.

As an Amazon Associate, I earn from qualifying purchases.

RHCSA - Manage Security: Restore Default File contexts

restorecon Command

The restorecon command is used to restore the SELinux context of files and directories to their default values. When files or directories have their SELinux contexts modified, restorecon can be used to reset them to their original state, ensuring proper security policies are enforced.

The restorecon command takes either a file or directory as an argument, however you can recursively restore file context by using either the -r or -R flags. The -v flag can also be used to display to screen the changes the restorecon command makes.

/.autorelabel file

When SELinux is enabled, each file and directory on the system is assigned a security context that defines its access permissions. However, there may be situations where the existing file contexts are inconsistent or incorrect. In such cases, SELinux might deny access to files and cause disruptions in system functionality. The autorelabel feature allows you to automatically relabel all files and directories on the system to ensure consistent and correct security contexts, and this feature is activated when the /.autorelabel file is created.

Restore File Contexts Exercise

The below exercises will get you restoring file contexts using both the restorecon command and /.autorelabel file methods.

The RHCSA objectives do not specify setting file contexts, however for the exercise you will use the chcon command to create a scenario where the file contexts do not match the defaults. I discourage the use of this command in the real world as it makes changes to the file but not the underlying SELinux policy.

Restore the default file context for your users home directory:

First we need to give your home directory the wrong file context. Ensure you are logged in as a normal user account and not root:

chcon -t var_log_t $HOME

List the file context of your home directory:

ls -Zd $HOME

The output should show the var_log_t context type set against your home directory:

unconfined_u:object_r:var_log_t:s0 /home/user1

Restore the default file context for the home directory:

restorecon -v $HOME

The output of this command shows the default file context was restored, which, as we restored the default context on a home directory, set the type back to user_home_t:

Relabeled /home/user1 from unconfined_u:object_r:var_log_t:s0 to unconfined_u:object_r:user_home_dir_t:s0

Perform a system wide restore of file contexts:

Recursively set the wrong context to your users .ssh directory. In this case you make an honest mistake of setting the context type to user_home_dir_t:

chcon -Rt user_home_dir_t $HOME/.ssh

List the file context of your .ssh directory files:

ls -Zd $HOME/.ssh $HOME/.ssh/*

The output should show the user_home_dir_t context type set against your .ssh directory and its files:

unconfined_u:object_r:user_home_dir_t:s0 /home/dtvlinux/.ssh
unconfined_u:object_r:user_home_dir_t:s0 /home/dtvlinux/.ssh/id_rsa
unconfined_u:object_r:user_home_dir_t:s0 /home/dtvlinux/.ssh/id_rsa.pub
unconfined_u:object_r:user_home_dir_t:s0 /home/dtvlinux/.ssh/known_hosts

touch the /.autorelabel file so that on next boot the system restores the default file contexts:

sudo touch /.autorelabel

Reboot the system to kick of the restore/relabeling process:

This can take a long time depending on the number of files on your system.

sudo reboot

During the reboot you can see the relabel process taking place:

autorelabel

Following the reboot, list the .ssh directory and files contexts again:

ls -Zd $HOME/.ssh $HOME/.ssh/*

The output should show the ssh_home_t context type set against your .ssh directory and its files:

unconfined_u:object_r:ssh_home_t:s0 /home/dtvlinux/.ssh
unconfined_u:object_r:ssh_home_t:s0 /home/dtvlinux/.ssh/id_rsa
unconfined_u:object_r:ssh_home_t:s0 /home/dtvlinux/.ssh/id_rsa.pub
unconfined_u:object_r:ssh_home_t:s0 /home/dtvlinux/.ssh/known_hosts

Support DTV Linux

Click on each book below to review & buy on Amazon. As an Amazon Associate, I earn from qualifying purchases.

NordVPN ®: Elevate your online privacy and security. Grab our Special Offer to safeguard your data on public Wi-Fi and secure your devices. I may earn a commission on purchases made through this link.