10.4.6.2. Persistent Changes: semanage fcontext

⁠10.4.6.2. Persistent Changes: semanage fcontext

The semanage fcontext command is used to change the SELinux context of files. When using targeted policy, changes are written to files located in the /etc/selinux/targeted/contexts/files/ directory:

The file_contexts file specifies default contexts for many files, as well as contexts updated via semanage fcontext.
The file_contexts.local file stores contexts to newly created files and directories not found in file_contexts.

Two utilities read these files. The setfiles utility is used when a file system is relabeled and the restorecon utility restores the default SELinux contexts. This means that changes made by semanage fcontext are persistent, even if the file system is relabeled. SELinux policy controls whether users are able to modify the SELinux context for any given file.

⁠Quick Reference

To make SELinux context changes that survive a file system relabel:

Run the following command, remembering to use the full path to the file or directory:
```
~]# semanage fcontext -a options file-name|directory-name
```
Use the restorecon utility to apply the context changes:
```
~]# restorecon -v file-name|directory-name
```

⁠

Procedure 10.13. Changing a File's or Directory 's Type

The following example demonstrates changing a file's type, and no other attributes of the SELinux context. This example works the same for directories, for instance if file1 was a directory.

As the root user, create a new file in the /etc/ directory. By default, newly-created files in /etc/ are labeled with the etc_t type:
```
~]# touch /etc/file1
```
```
~]$ ls -Z /etc/file1
-rw-r--r--  root root unconfined_u:object_r:etc_t:s0       /etc/file1
```
To list information about a directory, use the following command:
```
~]$ ls -dZ directory_name
```
As root, run the following command to change the file1 type to samba_share_t. The -a option adds a new record, and the -t option defines a type (samba_share_t). Note that running this command does not directly change the type; file1 is still labeled with the etc_t type:
```
~]# semanage fcontext -a -t samba_share_t /etc/file1
```
```
~]# ls -Z /etc/file1 
-rw-r--r--  root root unconfined_u:object_r:etc_t:s0       /etc/file1
```
The semanage fcontext -a -t samba_share_t /etc/file1 command adds the following entry to /etc/selinux/targeted/contexts/files/file_contexts.local:
```
/etc/file1    unconfined_u:object_r:samba_share_t:s0
```
As root, use the restorecon utility to change the type. Because semanage added an entry to file.contexts.local for /etc/file1, restorecon changes the type to samba_share_t:
```
~]# restorecon -v /etc/file1
restorecon reset /etc/file1 context unconfined_u:object_r:etc_t:s0->system_u:object_r:samba_share_t:s0
```

⁠

Procedure 10.14. Changing a Directory and its Contents Types

The following example demonstrates creating a new directory, and changing the directory's file type (along with its contents) to a type used by Apache HTTP Server. The configuration in this example is used if you want Apache HTTP Server to use a different document root (instead of /var/www/html/):

As the root user, create a new /mkdir/directory and then 3 empty files (file1, file2, and file3) within this directory. The /web/ directory and files in it are labeled with the default_t type:

~]# mkdir /web

~]# touch /web/file{1,2,3}

~]# ls -dZ /web
drwxr-xr-x  root root unconfined_u:object_r:default_t:s0 /web

~]# ls -lZ /web
-rw-r--r--  root root unconfined_u:object_r:default_t:s0 file1
-rw-r--r--  root root unconfined_u:object_r:default_t:s0 file2
-rw-r--r--  root root unconfined_u:object_r:default_t:s0 file3

As root, run the following command to change the type of the /web/ directory and the files in it, to httpd_sys_content_t. The -a option adds a new record, and the -t option defines a type (httpd_sys_content_t). The "/web(/.*)?" regular expression causes semanage to apply changes to /web/, as well as the files in it. Note that running this command does not directly change the type; /web/ and files in it are still labeled with the default_t type:
```
~]# semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
```
```
~]$ ls -dZ /web
drwxr-xr-x  root root unconfined_u:object_r:default_t:s0 /web
```
```
~]$ ls -lZ /web 
-rw-r--r--  root root unconfined_u:object_r:default_t:s0 file1
-rw-r--r--  root root unconfined_u:object_r:default_t:s0 file2
-rw-r--r--  root root unconfined_u:object_r:default_t:s0 file3
```
The semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?" command adds the following entry to /etc/selinux/targeted/contexts/files/file_contexts.local:
```
/web(/.*)?    system_u:object_r:httpd_sys_content_t:s0
```

As root, use the restorecon utility to change the type of /web/, as well as all files in it. The -R is for recursive, which means all files and directories under /web/ are labeled with the httpd_sys_content_t type. Since semanage added an entry to file.contexts.local for /web(/.*)?, restorecon changes the types to httpd_sys_content_t:

~]# restorecon -R -v /web
restorecon reset /web context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /web/file2 context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /web/file3 context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /web/file1 context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0

Note

By default, newly-created files and directories inherit the SELinux type of their parent directories. For example, when creating a new file in the /etc/ directory that is labeled with the etc_t type, the new file inherits the same type:

~]$ ls -dZ - /etc/
drwxr-xr-x. root root system_u:object_r:etc_t:s0       /etc

~]# touch /etc/file1

~]# ls -lZ /etc/file1
-rw-r--r--. root root unconfined_u:object_r:etc_t:s0   /etc/file1

⁠

Procedure 10.15. Deleting an added Context

The following example demonstrates adding and removing an SELinux context. If the context is part of a regular expression, for example, /web(/.*)?, use quotation marks around the regular expression:

~]# semanage fcontext -d "/web(/.*)?"

To remove the context, as root, run the following command, where file-name|directory-name is the first part in file_contexts.local:
```
~]# semanage fcontext -d file-name|directory-name
```
The following is an example of a context in file_contexts.local:
```
/test    system_u:object_r:httpd_sys_content_t:s0
```
With the first part being /test. To prevent the /test/ directory from being labeled with the httpd_sys_content_t after running restorecon, or after a file system relabel, run the following command as root to delete the context from file_contexts.local:
```
~]# semanage fcontext -d /test
```
As root, use the restorecon utility to restore the default SELinux context.

See the semanage(8) manual page for further information about semanage.

Important

When changing the SELinux context with semanage fcontext -a, use the full path to the file or directory to avoid files being mislabeled after a file system relabel, or after the restorecon command is run.