Product SiteDocumentation Site

5.10.4. Archiving Files with tar

tar does not retain extended attributes by default. Since SELinux contexts are stored in extended attributes, contexts can be lost when archiving files. Use tar --selinux to create archives that retain contexts. If a Tar archive contains files without extended attributes, or if you want the extended attributes to match the system defaults, run the archive through /sbin/restorecon:
$ tar -xvf archive.tar | /sbin/restorecon -f -
Note: depending on the directory, you may need to be the Linux root user to run the /sbin/restorecon command.
The following example demonstrates creating a Tar archive that retains SELinux contexts:
  1. As the Linux root user, run the touch /var/www/html/file{1,2,3} command to create three files (file1, file2, and file3). These files inherit the httpd_sys_content_t type from the /var/www/html/ directory:
    # touch /var/www/html/file{1,2,3}
    # ls -Z /var/www/html/
    -rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file1
    -rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file2
    -rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file3
    
  2. Run the cd /var/www/html/ command to change into the /var/www/html/ directory. Once in this directory, as the Linux root user, run the tar --selinux -cf test.tar file{1,2,3} command to create a Tar archive named test.tar.
  3. As the Linux root user, run the mkdir /test command to create a new directory, and then, run the chmod 777 /test/ command to allow all users full-access to the /test/ directory.
  4. Run the cp /var/www/html/test.tar /test/ command to copy the test.tar file in to the /test/ directory.
  5. Run the cd /test/ command to change into the /test/ directory. Once in this directory, run the tar -xvf test.tar command to extract the Tar archive.
  6. Run the ls -lZ /test/ command to view the SELinux contexts. The httpd_sys_content_t type has been retained, rather than being changed to default_t, which would have happened had the --selinux not been used:
    $ ls -lZ /test/
    -rw-r--r--  user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file1
    -rw-r--r--  user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file2
    -rw-r--r--  user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file3
    -rw-r--r--  user1 group1 unconfined_u:object_r:default_t:s0 test.tar
    
  7. If the /test/ directory is no longer required, as the Linux root user, run the rm -ri /test/ command to remove it, as well as all files in it.
Refer to the tar(1) manual page for further information about tar, such as the --xattrs option that retains all extended attributes.