Red Hat Training
A Red Hat training course is available for Red Hat Enterprise Linux
5.9.3. Checking the Default SELinux Context
Use the
matchpathcon
command to check if files and directories have the correct SELinux context. From the matchpathcon(8) manual page: "matchpathcon
queries the system policy and outputs the default security context associated with the file path."[10]. The following example demonstrates using the matchpathcon
command to verify that files in /var/www/html/
directory are labeled correctly:
- As the Linux root user, run the
touch /var/www/html/file{1,2,3}
command to create three files (file1
,file2
, andfile3
). These files inherit thehttpd_sys_content_t
type from the/var/www/html/
directory:~]#
touch /var/www/html/file{1,2,3}
~]#ls -Z /var/www/html/
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file1 -rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file2 -rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file3 - As the Linux root user, run the
chcon -t samba_share_t /var/www/html/file1
command to change thefile1
type tosamba_share_t
. Note that the Apache HTTP Server cannot read files or directories labeled with thesamba_share_t
type. - The
matchpathcon
-V
option compares the current SELinux context to the correct, default context in SELinux policy. Run thematchpathcon -V /var/www/html/*
command to check all files in the/var/www/html/
directory:~]$
matchpathcon -V /var/www/html/*
/var/www/html/file1 has context unconfined_u:object_r:samba_share_t:s0, should be system_u:object_r:httpd_sys_content_t:s0 /var/www/html/file2 verified. /var/www/html/file3 verified.
The following output from the
matchpathcon
command explains that file1
is labeled with the samba_share_t
type, but should be labeled with the httpd_sys_content_t
type:
/var/www/html/file1 has context unconfined_u:object_r:samba_share_t:s0, should be system_u:object_r:httpd_sys_content_t:s0
To resolve the label problem and allow the Apache HTTP Server access to
file1
, as the Linux root user, run the restorecon -v /var/www/html/file1
command:
~]# restorecon -v /var/www/html/file1
restorecon reset /var/www/html/file1 context unconfined_u:object_r:samba_share_t:s0->system_u:object_r:httpd_sys_content_t:s0
[10]
The matchpathcon(8) manual page, as shipped with the libselinux-utils package in Red Hat Enterprise Linux, is written by Daniel Walsh. Any edits or changes in this version were done by Murray McAllister.