Red Hat Training

A Red Hat training course is available for Red Hat Linux

5.9.3. Checking the Default SELinux Context

Use the matchpathcon command to check if files and directories have the correct SELinux context. From the matchpathcon(8) manual page: "matchpathcon queries the system policy and outputs the default security context associated with the file path."[10]. The following example demonstrates using the matchpathcon command to verify that files in /var/www/html/ directory are labeled correctly:
  1. As the Linux root user, run the touch /var/www/html/file{1,2,3} command to create three files (file1, file2, and file3). These files inherit the httpd_sys_content_t type from the /var/www/html/ directory:
    ~]# touch /var/www/html/file{1,2,3}
    ~]# ls -Z /var/www/html/
    -rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file1
    -rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file2
    -rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file3
    
  2. As the Linux root user, run the chcon -t samba_share_t /var/www/html/file1 command to change the file1 type to samba_share_t. Note that the Apache HTTP Server cannot read files or directories labeled with the samba_share_t type.
  3. The matchpathcon -V option compares the current SELinux context to the correct, default context in SELinux policy. Run the matchpathcon -V /var/www/html/* command to check all files in the /var/www/html/ directory:
    ~]$ matchpathcon -V /var/www/html/*
    /var/www/html/file1 has context unconfined_u:object_r:samba_share_t:s0, should be system_u:object_r:httpd_sys_content_t:s0
    /var/www/html/file2 verified.
    /var/www/html/file3 verified.
    
The following output from the matchpathcon command explains that file1 is labeled with the samba_share_t type, but should be labeled with the httpd_sys_content_t type:
/var/www/html/file1 has context unconfined_u:object_r:samba_share_t:s0, should be system_u:object_r:httpd_sys_content_t:s0
To resolve the label problem and allow the Apache HTTP Server access to file1, as the Linux root user, run the restorecon -v /var/www/html/file1 command:
~]# restorecon -v /var/www/html/file1
restorecon reset /var/www/html/file1 context unconfined_u:object_r:samba_share_t:s0->system_u:object_r:httpd_sys_content_t:s0


[10] The matchpathcon(8) manual page, as shipped with the libselinux-utils package in Red Hat Enterprise Linux, is written by Daniel Walsh. Any edits or changes in this version were done by Murray McAllister.