1setfiles(8)                  SELinux User Command                  setfiles(8)
2
3
4

NAME

6       setfiles - set SELinux file security contexts.
7
8

SYNOPSIS

10       setfiles  [-c policy] [-d] [-l] [-m] [-n] [-e directory] [-p] [-s] [-v]
11       [-W] [-F] [-I|-D] spec_file pathname ...
12
13

DESCRIPTION

15       This manual page describes the setfiles program.
16
17       This program is primarily  used  to  initialize  the  security  context
18       fields  (extended  attributes)  on one or more filesystems (or parts of
19       them).  Usually it is initially run as part of the SELinux installation
20       process (a step commonly known as labeling).
21
22       It can also be run at any other time to correct inconsistent labels, to
23       add support for newly-installed policy or, by using the -n  option,  to
24       passively  check  whether the file contexts are all set as specified by
25       the active policy (default behavior) or by some other policy  (see  the
26       -c option).
27
28       If  a  file  object  does  not  have a context, setfiles will write the
29       default context to the file object's extended  attributes.  If  a  file
30       object has a context, setfiles will only modify the type portion of the
31       security context.  The -F option will force a replacement of the entire
32       context.
33

OPTIONS

35       -c     check  the validity of the contexts against the specified binary
36              policy.
37
38       -d     show what specification matched each file (do not abort  valida‐
39              tion after 10 errors). Not affected by "-q"
40
41       -e directory
42              directory  to  exclude  (repeat  option for more than one direc‐
43              tory).
44
45       -f infilename
46              infilename contains a list of files to be processed. Use “-” for
47              stdin.
48
49       -F     Force  reset  of  context to match file_context for customizable
50              files, and the default file context, changing  the  user,  role,
51              range portion as well as the type.
52
53       -h, -? display usage information and exit.
54
55       -i     ignore files that do not exist.
56
57       -I     ignore  digest  to  force  checking of labels even if the stored
58              SHA1 digest matches the specfiles SHA1 digest. The  digest  will
59              then be updated provided there are no errors. See the NOTES sec‐
60              tion for further details.
61
62       -D     Set or update any directory SHA1 digests.  Use  this  option  to
63              enable usage of the security.restorecon_last extended attribute.
64
65       -l     log changes in file labels to syslog.
66
67       -m     do not read /proc/mounts to obtain a list of non-seclabel mounts
68              to be excluded from relabeling checks.  Setting this  option  is
69              useful  where there is a non-seclabel fs mounted with a seclabel
70              fs mounted on a directory below this.
71
72       -n     don't change any file labels (passive check).
73
74       -o outfilename
75              Deprecated - This option is no longer supported.
76
77       -p     show progress by printing the  number  of  files  in  1k  blocks
78              unless relabeling the entire OS, that will then show the approx‐
79              imate percentage complete. Note that the -p and -v  options  are
80              mutually exclusive.
81
82       -q     Deprecated,  was  only  used  to stop printing inode association
83              parameters.
84
85       -r rootpath
86              use an alternate root path. Used in meta-selinux for  OpenEmbed‐
87              ded/Yocto  builds  to label files under rootpath as if they were
88              at /
89
90       -s     take a list of files from standard  input  instead  of  using  a
91              pathname from the command line (equivalent to “-f -” ).
92
93       -v     show  changes  in  file  labels and output any inode association
94              parameters.  Note that the -v and -p options are mutually exclu‐
95              sive.
96
97       -W     display  warnings  about  entries  that had no matching files by
98              outputting the selabel_stats(3) results.
99
100       -0     the separator for the input items is  assumed  to  be  the  null
101              character  (instead  of  the  white  space).  The quotes and the
102              backslash characters are also treated as normal characters  that
103              can form valid input.  This option finally also disables the end
104              of file string, which is treated like any other argument.   Use‐
105              ful  when  input items might contain white space, quote marks or
106              backslashes.  The -print0 option  of  GNU  find  produces  input
107              suitable for this mode.
108
109

ARGUMENTS

111       spec_file
112              The  specification  file  which  contains lines of the following
113              form:
114
115              regexp [type] context | <<none>>
116                     The regular expression is anchored  at  both  ends.   The
117                     optional  type  field specifies the file type as shown in
118                     the mode field by the ls(1) program, e.g.   --  to  match
119                     only  regular files or -d to match only directories.  The
120                     context can be an ordinary security context or the string
121                     <<none>> to specify that the file is not to have its con‐
122                     text changed.
123                     The last matching specification is  used.  If  there  are
124                     multiple hard links to a file that match different speci‐
125                     fications and  those  specifications  indicate  different
126                     security  contexts,  then  a warning is displayed but the
127                     file is still labeled based on the last matching specifi‐
128                     cation other than <<none>>.
129
130       pathname ...
131              The  pathname  for  the root directory of each file system to be
132              relabeled or a  specific  directory  within  a  filesystem  that
133              should be recursively descended and relabeled or the pathname of
134              a file that should be relabeled.  Not used if the -f or  the  -s
135              option is used.
136
137

NOTES

139       1.  setfiles  follows symbolic links and operates recursively on direc‐
140           tories.
141
142       2.  If the pathname specifies the root directory and the -v  option  is
143           set  and  the audit system is running, then an audit event is auto‐
144           matically logged stating that a "mass relabel" took place using the
145           message label FS_RELABEL.
146
147       3.  To improve performance when relabeling file systems recursively the
148           -D option to setfiles will cause it to store a SHA1 digest  of  the
149           spec_file  set  in  an  extended  attribute named security.restore‐
150           con_last on the directory specified in each pathname ...  once  the
151           relabeling  has  been  completed  successfully. This digest will be
152           checked should setfiles -D be rerun with  the  same  spec_file  and
153           pathname parameters. See selinux_restorecon(3) for further details.
154
155           The -I option will ignore the SHA1 digest from each directory spec‐
156           ified in pathname ...  and provided the -n option is NOT set, files
157           will  be  relabeled  as required with the digest then being updated
158           provided there are no errors.
159
160

AUTHOR

162       This man page was written by Russell Coker <russell@coker.com.au>.  The
163       program was written by Stephen Smalley <sds@tycho.nsa.gov>
164
165

SEE ALSO

167       restorecon(8), load_policy(8), checkpolicy(8)
168
169
170
171                                 10 June 2016                      setfiles(8)
Impressum