matchpathcon
utility to check if files and directories have the correct SELinux context. This utility queries the system policy and then provides the default security context associated with the file path.
[22] The following example demonstrates using matchpathcon
to verify that files in /var/www/html/
directory are labeled correctly:
Procedure 10.21. Checking the Default SELinux Conxtext with matchpathcon
file1
, file2
, and file3
) in the /var/www/html/
directory. These files inherit the httpd_sys_content_t
type from /var/www/html/
:
~]#
touch /var/www/html/file{1,2,3}
~]#
ls -Z /var/www/html/
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file1 -rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file2 -rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file3
file1
type to samba_share_t
. Note that the Apache HTTP Server cannot read files or directories labeled with the samba_share_t
type.
~]#
chcon -t samba_share_t /var/www/html/file1
matchpathcon
-V
option compares the current SELinux context to the correct, default context in SELinux policy. Run the following command to check all files in the /var/www/html/
directory:
~]$
matchpathcon -V /var/www/html/*
/var/www/html/file1 has context unconfined_u:object_r:samba_share_t:s0, should be system_u:object_r:httpd_sys_content_t:s0 /var/www/html/file2 verified. /var/www/html/file3 verified.
matchpathcon
command explains that file1
is labeled with the samba_share_t
type, but should be labeled with the httpd_sys_content_t
type:
/var/www/html/file1 has context unconfined_u:object_r:samba_share_t:s0, should be system_u:object_r:httpd_sys_content_t:s0
file1
, as root, use the restorecon
utility:
~]#
restorecon -v /var/www/html/file1
restorecon reset /var/www/html/file1 context unconfined_u:object_r:samba_share_t:s0->system_u:object_r:httpd_sys_content_t:s0