5.9.3. Checking the Default SELinux Context

Use the matchpathcon command to check if files and directories have the correct SELinux context. From the matchpathcon(8) manual page: "matchpathcon queries the system policy and outputs the default security context associated with the file path."^[10]. The following example demonstrates using the matchpathcon command to verify that files in /var/www/html/ directory are labeled correctly:

As the Linux root user, run the touch /var/www/html/file{1,2,3} command to create three files (file1, file2, and file3). These files inherit the httpd_sys_content_t type from the /var/www/html/ directory:

~]# touch /var/www/html/file{1,2,3}
~]# ls -Z /var/www/html/
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file1
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file2
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file3

As the Linux root user, run the chcon -t samba_share_t /var/www/html/file1 command to change the file1 type to samba_share_t. Note that the Apache HTTP Server cannot read files or directories labeled with the samba_share_t type.

The matchpathcon -V option compares the current SELinux context to the correct, default context in SELinux policy. Run the matchpathcon -V /var/www/html/* command to check all files in the /var/www/html/ directory:

~]$ matchpathcon -V /var/www/html/*
/var/www/html/file1 has context unconfined_u:object_r:samba_share_t:s0, should be system_u:object_r:httpd_sys_content_t:s0
/var/www/html/file2 verified.
/var/www/html/file3 verified.

The following output from the matchpathcon command explains that file1 is labeled with the samba_share_t type, but should be labeled with the httpd_sys_content_t type:

/var/www/html/file1 has context unconfined_u:object_r:samba_share_t:s0, should be system_u:object_r:httpd_sys_content_t:s0

To resolve the label problem and allow the Apache HTTP Server access to file1, as the Linux root user, run the restorecon -v /var/www/html/file1 command:

~]# restorecon -v /var/www/html/file1
restorecon reset /var/www/html/file1 context unconfined_u:object_r:samba_share_t:s0->system_u:object_r:httpd_sys_content_t:s0

^[10] The matchpathcon(8) manual page, as shipped with the libselinux-utils package in Red Hat Enterprise Linux, is written by Daniel Walsh. Any edits or changes in this version were done by Murray McAllister.

Where did the comment section go?

Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories

5.9.3. Checking the Default SELinux Context

Where did the comment section go?