10. Manage Security
πRed Hat Certified System Administrator (RHCSA β EX200)
1. What Are SELinux File Contexts?
In SELinux, every file and directory has a security label (context). This context tells the system:
- Which service can access the file
- What type of access is allowed
A typical SELinux context looks like this:
system_u:object_r:httpd_sys_content_t:s0
Breakdown:
- User β
system_u - Role β
object_r - Type β
httpd_sys_content_t(MOST IMPORTANT) - Level β
s0
π For RHCSA, focus mainly on the type field, because it controls access.
2. Why Restoring Default Contexts Is Important
Sometimes file contexts become incorrect due to:
- Manual file copy (e.g.,
cpwithout preserving context) - Moving files between directories
- Extracting archives
- Creating new directories for services
- Misconfiguration
Example (IT scenario):
You configure a web server and place files in /var/www/html, but the website does not load.
Even if:
- Permissions are correct
- Service is running
π It may still fail because the SELinux context is wrong.
3. Default SELinux Contexts
SELinux stores default file contexts in a policy database.
To view default rules:
semanage fcontext -l
This shows mappings like:
/var/www/html(/.*)? all files system_u:object_r:httpd_sys_content_t:s0
π This means:
- Files under
/var/www/htmlshould have typehttpd_sys_content_t
4. Tools to Restore Default Contexts
4.1 restorecon (MOST IMPORTANT COMMAND)
This command resets file contexts to their default values.
Basic syntax:
restorecon [options] file_or_directory
4.2 Common Options
| Option | Description |
|---|---|
-v | Verbose (show changes) |
-R | Recursive (include subdirectories) |
-n | Dry run (no changes, just preview) |
5. Practical Usage (Important for Exam)
5.1 Restore a Single File
restorecon /var/www/html/index.html
5.2 Restore a Directory Recursively
restorecon -R /var/www/html
π This is very common in the exam.
5.3 Verbose Mode (Recommended)
restorecon -Rv /var/www/html
Output example:
restorecon reset /var/www/html/index.html context ...
5.4 Dry Run (Check Before Applying)
restorecon -nRv /var/www/html
π Shows what would change without modifying anything.
6. When to Use restorecon
Use restorecon when:
- A service cannot access files
- You copied files manually
- You created new directories for a service
- SELinux is blocking access
- After troubleshooting permission issues
7. Difference: restorecon vs chcon
chcon (Temporary Change)
chcon -t httpd_sys_content_t file
- Changes context manually
- NOT persistent
- Lost after relabel or restorecon
restorecon (Permanent Fix)
restorecon file
- Restores correct default context
- Uses SELinux policy
- Recommended method
π Exam tip:
- Use restorecon to fix problems
- Avoid relying only on
chcon
8. Using semanage fcontext + restorecon
If you want to define a new permanent context rule:
Step 1: Add rule
semanage fcontext -a -t httpd_sys_content_t "/webdata(/.*)?"
Step 2: Apply it
restorecon -Rv /webdata
π This is a very common RHCSA scenario
9. Verify SELinux Contexts
Use:
ls -Z
Example:
-rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 index.html
10. Full Workflow Example (Exam Scenario)
Problem:
Web server cannot access files in /webdata
Solution:
Step 1: Check context
ls -Z /webdata
Step 2: Add correct context rule
semanage fcontext -a -t httpd_sys_content_t "/webdata(/.*)?"
Step 3: Apply context
restorecon -Rv /webdata
11. Important Exam Tips
β Always use:
restorecon -Rv <directory>
β Remember:
restorecon= fix incorrect contextssemanage fcontext= define new rules
β If service fails:
- Check permissions
- Check SELinux context
- Run restorecon
β Do NOT disable SELinux in exam
12. Common Mistakes to Avoid
β Forgetting -R for directories
β Using only chcon (not permanent)
β Not verifying with ls -Z
β Not applying restorecon after semanage
13. Quick Summary
- SELinux uses file contexts for access control
- Wrong context = service failure
restoreconrestores default context- Use
-Rfor directories - Use
semanage fcontextfor custom paths - Always verify with
ls -Z
