1semanage-fcontext(8)                                      semanage-fcontext(8)
2
3
4

NAME

6       semanage-fcontext - SELinux Policy Management file context tool
7
8

SYNOPSIS

10       semanage  fcontext [-h] [-n] [-N] [-S STORE] [ --add ( -t TYPE -f FTYPE
11       -r RANGE -s SEUSER | -e EQUAL ) FILE_SPEC ) | --delete  (  -t  TYPE  -f
12       FTYPE  | -e EQUAL ) FILE_SPEC ) | --deleteall | --extract | --list [-C]
13       | --modify ( -t TYPE -f FTYPE -r RANGE -s SEUSER | -e EQUAL ) FILE_SPEC
14       ) ]
15
16

DESCRIPTION

18       semanage  is used to configure certain elements of SELinux policy with‐
19       out requiring modification to or  recompilation  from  policy  sources.
20       semanage  fcontext  is used to  manage the default file system labeling
21       on an SELinux system.  This command maps file paths using  regular  ex‐
22       pressions to SELinux labels.
23
24       FILE_SPEC may contain either a fully qualified path, or a Perl compati‐
25       ble regular expression (PCRE), describing fully qualified path(s).  The
26       only  PCRE  flag in use is PCRE2_DOTALL, which causes a wildcard '.' to
27       match anything, including a new line.  Strings representing  paths  are
28       processed  as  bytes  (as  opposed  to Unicode), meaning that non-ASCII
29       characters are not matched by a single wildcard.
30
31       Note, that file context definitions specified using 'semanage fcontext'
32       (i.e.  local  file context modifications stored in file_contexts.local)
33       have higher priority than those  specified  in  policy  modules.   This
34       means  that  whenever a match for given file path is found in file_con‐
35       texts.local, no other file context definitions are considered.  Entries
36       in  file_contexts.local  are processed from most recent one to the old‐
37       est, with first match being used  (as  opposed  to  the  most  specific
38       match,  which  is  used  when matching other file context definitions).
39       All regular expressions should therefore be as specific as possible, to
40       avoid unintentionally impacting other parts of the filesystem.
41
42

OPTIONS

44       -h, --help
45              show this help message and exit
46
47       -n, --noheading
48              Do not print heading when listing the specified object type
49
50       -N, --noreload
51              Do not reload policy after commit
52
53       -C, --locallist
54              List local customizations
55
56       -S STORE, --store STORE
57              Select an alternate SELinux Policy Store to manage
58
59       -a, --add
60              Add a record of the specified object type
61
62       -d, --delete
63              Delete a record of the specified object type
64
65       -m, --modify
66              Modify a record of the specified object type
67
68       -l, --list
69              List records of the specified object type
70
71       -E, --extract
72              Extract customizable commands, for use within a transaction
73
74       -D, --deleteall
75              Remove all local customizations
76
77       -e EQUAL, --equal EQUAL
78              Substitute  target  path with sourcepath when generating default
79              label. This is used with fcontext. Requires  source  and  target
80              path  arguments.  The context labeling for the target subtree is
81              made equivalent to that defined for the source.
82
83       -f [{a,f,d,c,b,s,l,p}], --ftype [{a,f,d,c,b,s,l,p}]
84              File Type. This is used with fcontext. Requires a file  type  as
85              shown in the mode field by ls, e.g. use 'd' to match only direc‐
86              tories or 'f' to match only regular files.  The  following  file
87              type  options  can  be  passed: f (regular file),d (directory),c
88              (character device),  b  (block  device),s  (socket),l  (symbolic
89              link),p  (named  pipe).   If you do not specify a file type, the
90              file type will default to "all files".
91
92
93       -s SEUSER, --seuser SEUSER
94              SELinux user name
95
96       -t TYPE, --type TYPE
97              SELinux Type for the object
98
99       -r RANGE, --range RANGE
100              MLS/MCS Security Range (MLS/MCS Systems only) SELinux Range  for
101              SELinux login mapping defaults to the SELinux user record range.
102              SELinux Range for SELinux user defaults to s0.
103
104

EXAMPLE

106       remember to run restorecon after you set the file context
107       Add file-context for everything under /web
108       # semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
109       # restorecon -R -v /web
110
111       Substitute /home1 with /home when setting file context
112       # semanage fcontext -a -e /home /home1
113       # restorecon -R -v /home1
114
115       For home directories under top level directory, for example /disk6/home,
116       execute the following commands.
117       # semanage fcontext -a -t home_root_t "/disk6"
118       # semanage fcontext -a -e /home /disk6/home
119       # restorecon -R -v /disk6
120
121

SEE ALSO

123       selinux(8), semanage(8)
124
125

AUTHOR

127       This man page was written by Daniel Walsh <dwalsh@redhat.com>
128
129
130
131                                   20130617               semanage-fcontext(8)