1semanage-fcontext(8) semanage-fcontext(8)
2
3
4
6 semanage-fcontext - SELinux Policy Management file context tool
7
8
10 semanage fcontext [-h] [-n] [-N] [-S STORE] [ --add ( -t TYPE -f FTYPE
11 -r RANGE -s SEUSER | -e EQUAL ) FILE_SPEC ) | --delete ( -t TYPE -f
12 FTYPE | -e EQUAL ) FILE_SPEC ) | --deleteall | --extract | --list [-C]
13 | --modify ( -t TYPE -f FTYPE -r RANGE -s SEUSER | -e EQUAL ) FILE_SPEC
14 ) ]
15
16
18 semanage is used to configure certain elements of SELinux policy with‐
19 out requiring modification to or recompilation from policy sources.
20 semanage fcontext is used to manage the default file system labeling
21 on an SELinux system. This command maps file paths using regular
22 expressions to SELinux labels.
23
24
26 -h, --help
27 show this help message and exit
28
29 -n, --noheading
30 Do not print heading when listing the specified object type
31
32 -N, --noreload
33 Do not reload policy after commit
34
35 -C, --locallist
36 List local customizations
37
38 -S STORE, --store STORE
39 Select an alternate SELinux Policy Store to manage
40
41 -a, --add
42 Add a record of the specified object type
43
44 -d, --delete
45 Delete a record of the specified object type
46
47 -m, --modify
48 Modify a record of the specified object type
49
50 -l, --list
51 List records of the specified object type
52
53 -E, --extract
54 Extract customizable commands, for use within a transaction
55
56 -D, --deleteall
57 Remove all local customizations
58
59 -e EQUAL, --equal EQUAL
60 Substitute target path with sourcepath when generating default
61 label. This is used with fcontext. Requires source and target
62 path arguments. The context labeling for the target subtree is
63 made equivalent to that defined for the source.
64
65 -f [{a,f,d,c,b,s,l,p}], --ftype [{a,f,d,c,b,s,l,p}]
66 File Type. This is used with fcontext. Requires a file type as
67 shown in the mode field by ls, e.g. use 'd' to match only direc‐
68 tories or 'f' to match only regular files. The following file
69 type options can be passed: f (regular file),d (directory),c
70 (character device), b (block device),s (socket),l (symbolic
71 link),p (named pipe). If you do not specify a file type, the
72 file type will default to "all files".
73
74
75 -s SEUSER, --seuser SEUSER
76 SELinux user name
77
78 -t TYPE, --type TYPE
79 SELinux Type for the object
80
81 -r RANGE, --range RANGE
82 MLS/MCS Security Range (MLS/MCS Systems only) SELinux Range for
83 SELinux login mapping defaults to the SELinux user record range.
84 SELinux Range for SELinux user defaults to s0.
85
86
88 remember to run restorecon after you set the file context
89 Add file-context for everything under /web
90 # semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
91 # restorecon -R -v /web
92
93 Substitute /home1 with /home when setting file context
94 # semanage fcontext -a -e /home /home1
95 # restorecon -R -v /home1
96
97 For home directories under top level directory, for example /disk6/home,
98 execute the following commands.
99 # semanage fcontext -a -t home_root_t "/disk6"
100 # semanage fcontext -a -e /home /disk6/home
101 # restorecon -R -v /disk6
102
103
105 selinux (8), semanage (8)
106
107
109 This man page was written by Daniel Walsh <dwalsh@redhat.com>
110
111
112
113 20130617 semanage-fcontext(8)