Using setfiles, rlpkg, and fixfiles
# setfiles /etc/selinux/targeted/contexts/files/file_contexts /srv/web
Another set of tools are the
rlpkg (Gentoo) and
fixfiles (CentOS and related distributions) applications. Both these applications have a nice feature: they can be used to reset the contexts of the files of an application rather than having to iterate over the files manually and run
restorecon against them.
In the next example, we’re using these tools to restore the contexts of the files provided by the
# rlpkg nginx # fixfiles -R nginx restore
# rlpkg -a -r # fixfiles -f -F relabel
Relabeling the entire filesystem
fixfiles commands as listed in the previous section are not the only available approaches for relabeling the entire filesystem when working with a CentOS (or related) distribution. SELinux offers two other methods to ask the system to perform a full filesystem relabeling operation during (re)boot: placing a touch file (which the system reads at boot time) or configuring a boot parameter.
The touch file is called
.autorelabel and should be placed in the root filesystem. Once set, the system needs to be rebooted:
# touch /.autorelabel # reboot
We trigger the same behavior if we add the
autorelabel=1 parameter to the boot parameter list (like where we can set the
enforcing= parameters as discussed earlier).
Asking the system to perform a full filesystem relabeling operation will take a while. When finished, the system will reboot again. Touch files will be removed automatically after the relabeling operation has finished.
Automatically setting context with restorecond
Contexts can also be applied by the
restorecond daemon. The purpose of this daemon is to enforce the expression list rules onto a configurable set of locations, defined in the
The following set of files and directories is an example list of locations configured in the
restorecond.conf file so that
restorecond automatically applies the SELinux contexts on these files and directories whenever it detects a context change in them:
/etc/services /etc/resolv.conf /etc/samba/secrets.tdb ... /root/.ssh/*
In this case, if a process creates a file that matches any of the previously created paths, the Linux inotify subsystem will notify
restorecond of it.
restorecond will then relabel the file according to the expression list, applying the correct label regardless of the process (and context) that created the file.
The use of
restorecond is primarily for historical reasons, when SELinux didn’t support named file transitions. At that time, writing
/etc could not be differentiated from writing to the
passwd file in
/etc. The introduction of named file transitions has considerably reduced the need for
Setting SELinux context at boot with tmpfiles
If the Linux distribution uses
systemd, then you can use
systemd-tmpfiles to automatically set SELinux context at boot.
systemd uses the
tmpfiles application to automatically create and manage volatile locations on the system, such as locations inside
/run is a
tmpfs-mounted filesystem (an in-memory filesystem).
Administrators can configure
tmpfiles to automatically create files, directories, device files, symbolic links, and others at boot, and to reset the permissions on resources. It is through this reset operation that we can use
tmpfiles to set the right SELinux context at boot time.
The example we gave used a directory called
/tmp/tmp-inst, which had to have the
000 permission set, and which will host the user-oriented
/tmp views. Rather than having to create and set this permission each time, we can configure
tmpfiles to do this for us, and define the right SELinux context up front:
# semanage fcontext -a -t tmp_t -f d "/tmp/tmp-inst"
/etc/tmpfiles.d, we create a file called
selinux-polyinstantiation.conf with the following content:
d /tmp/tmp-inst 000 root root
The name of the file can be chosen freely, but make sure it uses the
.conf suffix. Every time the system boots,
systemd-tmpfiles will ensure that the
/tmp/tmp-inst directory is created with the appropriate permissions.
If a location does not need to be created, but only its SELinux context reset, then you can use the
z (one resource) or
Z (recursively) options in the
tmpfiles configuration. This is used, for instance, by the default SELinux
z /sys/devices/system/cpu/online - - -