1setfiles(8)                                                        setfiles(8)
2
3
4

NAME

6       setfiles - set SELinux file security contexts.
7
8

SYNOPSIS

10       setfiles  [-c  policy] [-d] [-l] [-n] [-e directory] [-o filename] [-p]
11       [-q] [-s] [-v] [-W] [-F] spec_file pathname...
12

DESCRIPTION

14       This manual page describes the setfiles program.
15
16       This program is primarily  used  to  initialize  the  security  context
17       fields  (extended  attributes)  on one or more filesystems (or parts of
18       them).  Usually it is initially run as part of the SELinux installation
19       process (a step commonly known as labeling).
20
21       It can also be run at any other time to correct inconsistent labels, to
22       add support for newly-installed policy or, by using the -n  option,  to
23       passively  check  whether the file contexts are all set as specified by
24       the active policy (default behavior) or by some other policy  (see  the
25       -c option).
26
27       If  a  file  object  does  not  have a context, setfiles will write the
28       default context to the file object's extended  attributes.  If  a  file
29       object has a context, setfiles will only modify the type portion of the
30       security context.  The -F option will force a replacement of the entire
31       context.
32

OPTIONS

34       -c     check  the validity of the contexts against the specified binary
35              policy.
36
37       -d     show what specification matched each file (do not abort  valida‐
38              tion after 10 errors). Not affected by "-q"
39
40       -e directory
41              directory  to  exclude  (repeat  option for more than one direc‐
42              tory).
43
44       -f     take a list of files to be processed from an input file.
45
46       -F     Force reset of context to match  file_context  for  customizable
47              files,  and  the  default file context, changing the user, role,
48              range portion as well as the type.
49
50       -h, -? display usage information and exit.
51
52       -i     ignore files that do not exist.
53
54       -l     log changes in file labels to syslog.
55
56       -n     don't change any file labels (passive check).
57
58       -o filename
59              Deprecated, SELinux policy will probably block this access.  Use
60              shell  redirection  to save list of files with incorrect context
61              in filename.
62
63       -p     show progress by printing * every 1024 files.  (If  you  relabel
64              the entire OS, this will show you the percentage complete.)
65
66       -q     suppress non-error output.
67
68       -r rootpath
69              use an alternate root path.
70
71       -s     take  a  list  of  files  from standard input instead of using a
72              pathname from the command line (equivalent to -f -).
73
74       -v     show changes in file labels.
75
76       -W     display warnings about entries that had no matching files.
77
78       -0     the separator for the input items is  assumed  to  be  the  null
79              character  (instead  of  the  white  space).  The quotes and the
80              backslash characters are also treated as normal characters  that
81              can form valid input.  This option finally also disables the end
82              of file string, which is treated like any other argument.   Use‐
83              ful  when  input items might contain white space, quote marks or
84              backslashes.  The -print0 option  of  GNU  find  produces  input
85              suitable for this mode.
86
87

ARGUMENTS

89       spec_file  The specification file which contains lines of the following
90       form
91       regexp [ -type ] ( context | <<none>> )
92       The regular expression is anchored at both  ends.   The  optional  type
93       field  specifies  the file type as shown in the mode field by the ls(1)
94       program, e.g. -- to match only regular files or -d to match only direc‐
95       tories.   The context can be an ordinary security context or the string
96       <<none>> to specify that the file is not to have its context changed.
97       The last matching specification is used. If  there  are  multiple  hard
98       links  to a file that match different specifications and those specifi‐
99       cations indicate different security contexts, then a  warning  is  dis‐
100       played  but the file is still labeled based on the last matching speci‐
101       fication other than <<none>>.
102
103       pathname...
104              The pathname for the root directory of each file  system  to  be
105              relabeled  or  a  specific  directory  within  a filesystem that
106              should be recursively descended and relabeled or the pathname of
107              a  file  that should be relabeled.  Not used if the -f or the -s
108              option is used.
109
110

AUTHOR

112       This man page was written by Russell Coker <russell@coker.com.au>.  The
113       program was written by Stephen Smalley <sds@epoch.ncsc.mil>
114
115

SEE ALSO

117       restorecon(8), load_policy(8), checkpolicy(8)
118
119
120
121                                  2002031409                       setfiles(8)
Impressum