SELinux: Permanently change file context of files and folders

This is a quick howto on changing the file context of files and folders in SELinux.

In this example I want to allow my webserver access to the www folder inside every users home:

unconfined_u:object_r:user_home_dir_t:SystemLow /home/user/www

Right now the current context of user_home_dir_t wont allow the webserver to read or write from the www folder.

In order to allow access to the folder, the context must be changed to httpd_user_rw_content_t or httpd_user_content_t, the latter will only allow read access:

semanage fcontext -a -t httpd_user_rw_content_t '/home/[^/]*/www(/.+)?'

Next, run this command to effectuate the new context rule:

restorecon -R /home

That’s it :)

Leave a Reply