Could somebody explain this command:
chcon -R --reference=/var/www/html/ /var/www/html/installI have read the explanation given in the book; but, I am unable to understand it clearly. Please use simple terminology while explaining the command.
2 Answers
You are in this case:
chcon -R --reference=RFILE FILEwhere:
chcon- change file security context; you can check any security context of a file withls -Z.-R- operate on files and directories recursively.--reference=RFILE- use RFILE's security context rather than specifying a CONTEXT value.
So, the above command change recursively the security context of each file from /var/www/html/install to those from /var/www/html.
Type info coreutils 'chcon invocation' in terminal and you will have access to the complete manual.
This manual can helps you to understand everything about Security-Enhanced Linux (SELinux).
8If you are using selinux, I suggest you read the Fedora documentation.
See :
That second link is for Fedora 13, but, IMO, remains the most up to date document on selinux.
An oversimplification of selinux is to consider it an extension of file permissions ( above and beyond owner:group:other). So every file has a context. If a file is used by a http server, then there is no reason a ftp server should be accessing it. You can allow a ftp server to access the files by enabling a Boolean.
The problem you will have, chcon does not survive a relabel or restorecon.
5.7.1. Temporary Changes:
chconThe chcon command changes the SELinux context for files. However, changes made with the chcon command do not survive a file system relabel, or the execution of the /sbin/restorecon command. SELinux policy controls whether users are able to modify the SELinux context for any given file. When using chcon, users provide all or part of the SELinux context to change. An incorrect file type is a common cause of SELinux denying access.
chcon is intended for temporary changes.
See .
You almost certainly will want to use restorecon
sudo /sbin/restorecon -R -v /var/www/If that fails, post the avc denials and provide more information on what you are wanting to do. Most likely there would be a Boolean that you would need to configure.
See
1