I have a server running Centos7/XFS with SElinux that had a problem (unrelated to SElinux) and had to be restored from a snapshot that was several weeks old. This server also makes a nightly rsync backup to a dedicated offsite backup Docker container nightly.
I restored the snapshot then restored key files/databases from the nightly backup since I didn't know where the problem was. Unfortunately the restored files' contexts/labels are now completely wrong and show Docker container labels (the restored server does not run Docker). Examples:
In /root:
[root@mail ~]# ls -alZ
dr-xr-x---. root root system_u:object_r:container_file_t:s0:c18,c703 .
dr-xr-xr-x. root root system_u:object_r:root_t:s0 ..
-rw-------. root root system_u:object_r:container_file_t:s0:c18,c703 anaconda-ks.cfg
drwxr-xr-x. root root system_u:object_r:container_file_t:s0:c18,c703 archive
drwxr-xr-x. root root system_u:object_r:container_file_t:s0:c18,c703 bak
etc . . .
and /etc files also show container labeling:
[root@mail audit]# ls -alZ
drwxr-x---. root root system_u:object_r:container_file_t:s0:c18,c703 .
drwxr-xr-x. root root system_u:object_r:etc_t:s0 ..
-rw-r-----. root root system_u:object_r:container_file_t:s0:c18,c703 auditd.conf
-rw-r-----. root root system_u:object_r:container_file_t:s0:c18,c703 auditd.conf.bak
-rw-r-----. root root system_u:object_r:container_file_t:s0:c18,c703 audit.rules
-rw-r-----. root root system_u:object_r:container_file_t:s0:c18,c703 audit-stop.rules
drwxr-x---. root root system_u:object_r:container_file_t:s0:c18,c703 rules.d
etc . . .
I have run touch .autorelabel
and rebooted, fixfiles restore
, fixfiles relabel
and restorecon
and even reinstalled targeted policy - all have no effect. The server runs great with Permissive but I would like to get SElinux running again. The server was working perfectly with SElinux enabled prior to the unrelated problem and subsequent restore.
How can I restore the previous (default) SElinux contexts and labels for the entire filesystem without manually crawling the directories and fixing them by hand?
So after a good night's sleep, more digging on ServerFault and man pages I figured out the answer:
`restorecon -vRF '
I was missing the F (force) option - everything works well now.