1setfiles(8) SELinux User Command setfiles(8)
2
6 setfiles - set SELinux file security contexts.
7
10 setfiles [-c policy] [-d] [-l] [-m] [-n] [-e directory] [-E] [-p] [-s]
11 [-v] [-W] [-F] [-I|-D] [-T nthreads] spec_file pathname ...
12
15 This manual page describes the setfiles program.
16 This program is primarily used to initialize the security context
18 fields (extended attributes) on one or more filesystems (or parts of
19 them). Usually it is initially run as part of the SELinux installation
20 process (a step commonly known as labeling).
21 It can also be run at any other time to correct inconsistent labels, to
23 add support for newly-installed policy or, by using the -n option, to
24 passively check whether the file contexts are all set as specified by
25 the active policy (default behavior) or by some other policy (see the
26 -c option).
27 If a file object does not have a context, setfiles will write the de‐
29 fault context to the file object's extended attributes. If a file ob‐
30 ject has a context, setfiles will only modify the type portion of the
31 security context. The -F option will force a replacement of the entire
32 context.
33
35 -c check the validity of the contexts against the specified binary
36 policy.
37 -d show what specification matched each file. Not affected by "-q".
39 -e directory
41 directory to exclude (repeat option for more than one direc‐
42 tory).
43 -E treat conflicting specifications as errors, such as where two
45 hardlinks for the same inode have different contexts.
46 -f infilename
48 infilename contains a list of files to be processed. Use “-” for
49 stdin.
50 -F Force reset of context to match file_context for customizable
52 files, and the default file context, changing the user, role,
53 range portion as well as the type.
54 -h, -? display usage information and exit.
56 -i ignore files that do not exist.
58 -I ignore digest to force checking of labels even if the stored
60 SHA256 digest matches the specfiles SHA256 digest. The digest
61 will then be updated provided there are no errors. See the NOTES
62 section for further details.
63 -D Set or update any directory SHA256 digests. Use this option to
65 enable usage of the security.sehash extended attribute.
66 -l log changes in file labels to syslog.
68 -m do not read /proc/mounts to obtain a list of non-seclabel mounts
70 to be excluded from relabeling checks. Setting this option is
71 useful where there is a non-seclabel fs mounted with a seclabel
72 fs mounted on a directory below this.
73 -n don't change any file labels (passive check).
75 -o outfilename
77 Deprecated - This option is no longer supported.
78 -p show progress by printing the number of files in 1k blocks un‐
80 less relabeling the entire OS, that will then show the approxi‐
81 mate percentage complete. Note that the -p and -v options are
82 mutually exclusive.
83 -q Deprecated, was only used to stop printing inode association pa‐
85 rameters.
86 -r rootpath
88 use an alternate root path. Used in meta-selinux for OpenEmbed‐
89 ded/Yocto builds to label files under rootpath as if they were
90 at /
91 -s take a list of files from standard input instead of using a
93 pathname from the command line (equivalent to “-f -” ).
94 -v show changes in file labels and output any inode association pa‐
96 rameters. Note that the -v and -p options are mutually exclu‐
97 sive.
98 -W display warnings about entries that had no matching files by
100 outputting the selabel_stats(3) results.
101 -0 the separator for the input items is assumed to be the null
103 character (instead of the white space). The quotes and the
104 backslash characters are also treated as normal characters that
105 can form valid input. This option finally also disables the end
106 of file string, which is treated like any other argument. Use‐
107 ful when input items might contain white space, quote marks or
108 backslashes. The -print0 option of GNU find produces input
109 suitable for this mode.
110 -T nthreads
112 use up to nthreads threads. Specify 0 to create as many threads
113 as there are available CPU cores; 1 to use only a single thread
114 (default); or any positive number to use the given number of
115 threads (if possible).
116
119 spec_file
120 The specification file which contains lines of the following
121 form:
122 regexp [type] context | <<none>>
124 The regular expression is anchored at both ends. The op‐
125 tional type field specifies the file type as shown in the
126 mode field by the ls(1) program, e.g. -- to match only
127 regular files or -d to match only directories. The con‐
128 text can be an ordinary security context or the string
129 <<none>> to specify that the file is not to have its con‐
130 text changed.
131 The last matching specification is used. If there are
132 multiple hard links to a file that match different speci‐
133 fications and those specifications indicate different se‐
134 curity contexts, then a warning is displayed but the file
135 is still labeled based on the last matching specification
136 other than <<none>>.
137 pathname ...
139 The pathname for the root directory of each file system to be
140 relabeled or a specific directory within a filesystem that
141 should be recursively descended and relabeled or the pathname of
142 a file that should be relabeled. Not used if the -f or the -s
143 option is used.
144
147 1. setfiles operates recursively on directories. Paths leading up the
148 final component of the file(s) are not canonicalized before label‐
149 ing.
150 2. If the pathname specifies the root directory and the -v option is
152 set and the audit system is running, then an audit event is auto‐
153 matically logged stating that a "mass relabel" took place using the
154 message label FS_RELABEL.
155 3. To improve performance when relabeling file systems recursively the
157 -D option to setfiles will cause it to store a SHA256 digest of the
158 spec_file set in an extended attribute named security.sehash on
159 each directory specified in pathname ... once the relabeling has
160 been completed successfully. These digests will be checked should
161 setfiles -D be rerun with the same spec_file and pathname parame‐
162 ters. See selinux_restorecon(3) for further details.
163 The -I option will ignore the SHA256 digest from each directory
165 specified in pathname ... and provided the -n option is NOT set,
166 files will be relabeled as required with the digests then being up‐
167 dated provided there are no errors.
168
171 This man page was written by Russell Coker <russell@coker.com.au>. The
172 program was written by Stephen Smalley <sds@tycho.nsa.gov>
173
176 restorecon(8), load_policy(8), checkpolicy(8)
177 10 June 2016 setfiles(8)