Explanation of the chcon command

You are in this case:

chcon -R --reference=RFILE FILE

where:

  • chcon - change file security context; you can check any security context of a file with ls -Z.

  • -R - operate on files and directories recursively.

  • --reference=RFILE - use RFILE's security context rather than specifying a CONTEXT value.

So, the above command change recursively the security context of each file from /var/www/html/install to those from /var/www/html.

Type info coreutils 'chcon invocation' in terminal and you will have access to the complete manual.

This manual can helps you to understand everything about Security-Enhanced Linux (SELinux).


If you are using selinux, I suggest you read the Fedora documentation.

See :

http://fedoraproject.org/wiki/SELinux_FAQ

https://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/

That second link is for Fedora 13, but, IMO, remains the most up to date document on selinux.

An oversimplification of selinux is to consider it an extension of file permissions ( above and beyond owner:group:other). So every file has a context. If a file is used by a http server, then there is no reason a ftp server should be accessing it. You can allow a ftp server to access the files by enabling a Boolean.

The problem you will have, chcon does not survive a relabel or restorecon.

5.7.1. Temporary Changes: chcon The chcon command changes the SELinux context for files. However, changes made with the chcon command do not survive a file system relabel, or the execution of the /sbin/restorecon command. SELinux policy controls whether users are able to modify the SELinux context for any given file. When using chcon, users provide all or part of the SELinux context to change. An incorrect file type is a common cause of SELinux denying access.

chcon is intended for temporary changes.

See https://docs.fedoraproject.org/en-US/Fedora/12/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files.html.

You almost certainly will want to use restorecon

sudo /sbin/restorecon -R -v /var/www/

If that fails, post the avc denials and provide more information on what you are wanting to do. Most likely there would be a Boolean that you would need to configure.

See https://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html