Section: SELinux User Command (8)
Updated: 10 June 2016
setfiles - set SELinux file security contexts.
This manual page describes the
This program is primarily used to initialize the security context
fields (extended attributes) on one or more filesystems (or parts of
them). Usually it is initially run as part of the SELinux installation
process (a step commonly known as labeling).
It can also be run at any other time to correct inconsistent labels, to add
support for newly-installed policy or, by using the
option, to passively
check whether the file contexts are all set as specified by the active policy
(default behavior) or by some other policy (see the
If a file object does not have a context,
will write the default
context to the file object's extended attributes. If a file object has a
will only modify the type portion of the security context.
option will force a replacement of the entire context.
check the validity of the contexts against the specified binary policy.
show what specification matched each file. Not affected by "-q".
- -e directory
directory to exclude (repeat option for more than one directory).
treat conflicting specifications as errors, such as where two hardlinks for
the same inode have different contexts.
- -f infilename
contains a list of files to be processed. Use
Force reset of context to match file_context for customizable files, and the
default file context, changing the user, role, range portion as well as the
- -h, -?
display usage information and exit.
ignore files that do not exist.
ignore digest to force checking of labels even if the stored SHA1 digest
matches the specfiles SHA1 digest. The digest will then be updated provided
there are no errors. See the
section for further details.
Set or update any directory SHA1 digests. Use this option to
enable usage of the
log changes in file labels to syslog.
do not read
to obtain a list of non-seclabel mounts to be excluded from relabeling checks.
Setting this option is useful where there is a non-seclabel fs mounted with a
seclabel fs mounted on a directory below this.
don't change any file labels (passive check).
- -o outfilename
Deprecated - This option is no longer supported.
show progress by printing the number of files in 1k blocks unless relabeling the entire
OS, that will then show the approximate percentage complete. Note that the
options are mutually exclusive.
Deprecated, was only used to stop printing inode association parameters.
- -r rootpath
use an alternate root path. Used in meta-selinux for OpenEmbedded/Yocto builds
to label files under
as if they were at
take a list of files from standard input instead of using a pathname from the
command line (equivalent to
show changes in file labels and output any inode association parameters.
Note that the
options are mutually exclusive.
display warnings about entries that had no matching files by outputting the
the separator for the input items is assumed to be the null character
(instead of the white space). The quotes and the backslash characters are
also treated as normal characters that can form valid input.
This option finally also disables the end of file string, which is treated
like any other argument. Useful when input items might contain white space,
quote marks or backslashes. The
option of GNU
produces input suitable for this mode.
The specification file which contains lines of the following form:
The regular expression is anchored at both ends. The optional
field specifies the file type as shown in the mode field by the
to match only regular files or
to match only
can be an ordinary security context or the
to specify that the file is not to have its context
The last matching specification is used. If there are multiple hard
links to a file that match different specifications and those
specifications indicate different security contexts, then a warning is
displayed but the file is still labeled based on the last matching
specification other than
- pathname ...
The pathname for the root directory of each file system to be relabeled
or a specific directory within a filesystem that should be recursively
descended and relabeled or the pathname of a file that should be
Not used if the
option is used.
operates recursively on directories. Paths leading up the final
component of the file(s) are not canonicalized before labeling.
specifies the root directory and the
option is set and the audit system is running, then an audit event is
automatically logged stating that a "mass relabel" took place using the
To improve performance when relabeling file systems recursively
will cause it to store a SHA1 digest of the
set in an extended attribute named
on each directory specified in
once the relabeling has been completed successfully. These digests will be
with the same
for further details.
option will ignore the SHA1 digest from each directory specified in
and provided the
option is NOT set, files will be relabeled as required with the digests then
being updated provided there are no errors.
This man page was written by Russell Coker <firstname.lastname@example.org
The program was written by Stephen Smalley <email@example.com