The estorecon command is used to restore the security context of the SELinux file.
Syntax
Restorecon [-iFnrRv] [-e excludedir] [-o filename] [-f filename | pathname...]
Option
-I: ignore nonexistent files.
-F: The infilename file infilename records the file to be processed.
-E: directory exclusion directory.
-R/-r: recursive processing directory.
-N: does not change the file tag.
-O/outfilename: saves the file list to outfilename. If the file is incorrect.
-V: displays the process on the screen.
-F: forcibly restores the file security context.
Instance
Assume that apache is installed on CentOS, and the default home directory of the webpage is/var/www/html. We often encounter this problem and create a webpage file in other directories, then, use music videos to move to the default directory/var/www/html on the webpage, but the file cannot be opened in the browser, this is probably because the SELinux configuration information of this file inherits from the original directory. Unlike the/var/www/html Directory, when mv is used for moving, the SELinux configuration information is also moved together, so that the page cannot be opened. For details, see the following example:
The code is as follows: |
Copy code |
/* Use CentOS as an example. If apache is not installed by default, ensure the network connection. Run the following command to install apache */ Root@111cn.net ~ # Yum install httpd /* Create an html file in the root's home directory */ Root@111cn.net ~ # Pwd /Root Root@111cn.net ~ # Vi index.html /* Enter a text clip and save and exit */ Welcome to www.111cn.net /* Upload this file to the default webpage directory */ Root@111cn.net ~ # Mv index.html/var/www/html/ /* * In this case, we enter 127.0.0.1/index.html in the firefox browser and find that the address cannot be opened, * Check the SELinux log file and find the following error message. It is not difficult to see this error message, * SELinux blocks index.html in the main directory of the httpdw.net page because the SELinux configuration information is incorrect, * The correct SELinux configuration information should be the part after scontext =, * The SELinux configuration information of the index.html file is the part after tcontext =, * From the third section of tcontext = "admin_home_t", it is not difficult to see that the SELinux configuration information of this file is in the root user's home directory. */ Type = AVC msg = audit (1378974214.610: 465): avc: denied {open} for pid = 2359 comm = "httpd" path = "/var/www/html/index.html" dev = "sda1" ino = 1317685 scontext = system_u: system_r: httpd_t: s0 tcontext = unconfined_u: object_r: admin_home_t: s0 tclass = file /* Using ls-Z, we can see that the SELinux information of the file and directory does not match */ [Root@111cn.net html] # ls-Z/var/www/html/ ... Unconfined_u: object_r: admin_home_t: s0 index.html [Root@111cn.net html] # ls-Zd/var/www/html/ ... System_u: object_r: httpd_sys_content_t: s0/var/www/html/ /* Use restorecon to restore SELinux configuration information for all files in the home directory of the webpage (if the target is a directory, add the-R parameter recursion )*/ [Root@111cn.net html] # restorecon-R/var/www/html/ |