setfiles manpage

Search topic Section

setfiles(8)							   setfiles(8)

       setfiles - set file SELinux security contexts.

       setfiles [-c policy ] [-d] [-l] [-n] [-e directory ] [-o filename ] [-L
       labelprefix ] [-q] [-s] [-v] [-W] [-F] spec_file pathname...

       This manual page describes the setfiles program.

       This program is primarily used to initialize the security context data-
       base (extended attributes) on one or more filesystems.  This program is
       initially run as part of the SE Linux installation process.

       It can also be run at any time to correct errors, to  add  support  for
       new  policy,  or	 with the -n option it can just check whether the file
       contexts are all as you expect.

       If a file object does not have  a  context,  setfiles  will  write  the
       default	context	 to  the  file object's extended attributes. If a file
       object has a context, setfiles will only modify the type portion of the
       security context.  The -F option will force a replacement of the entire

       -c     check the validity of the contexts against the specified	binary

       -d     show what specification matched each file.

       -l     log changes in file labels to syslog.

       -n     don't change any file labels.

       -p     show progress by printing * every 1000 files.

       -q     suppress non-error output.

       -r rootpath
	      use an alternate root path

       -e directory
	      directory	 to  exclude  (repeat  option for more than one direc-

       -F     Force reset of context to match  file_context  for  customizable
	      files,  and  the	default file context, changing the user, role,
	      range portion as well as the type.

       -L labelprefix
	      Tells selinux to only use the file context that match this  pre-
	      fix  for	labeling,  -L can be called multiple times.  Can speed
	      up labeling if you are only doing one directory.

       -o filename
	      save list of files with incorrect context in filename.

       -s     take a list of files from standard  input	 instead  of  using  a
	      pathname on the command line.

       -v     show changes in file labels.

       -W     display warnings about entries that had no matching files.

       -0     Input  items  are	 terminated  by a null character instead of by
	      whitespace,  and the quotes and backslash are not special (every
	      character is taken literally).  Disables the end of file string,
	      which  is	 treated  like	any other argument.  Useful when input
	      items  might  contain  white  space,  quote   marks,   or	 back-
	      slashes.The  GNU	find  -print0  option produces input  suitable
	      for this mode.

       spec_file  The specification file which contains lines of the following
       regexp [ -type ] ( context | <<none>> )
       The regular expression is anchored at both  ends.   The	optional  type
       field  specifies	 the file type as shown in the mode field by the ls(1)
       program, e.g. -- to match only regular files or -d to match only direc-
       tories.	 The context can be an ordinary security context or the string
       <<none>> to specify that the file is not to have its context changed.
       The last matching specification is used. If  there  are	multiple  hard
       links  to a file that match different specifications and those specifi-
       cations indicate different security contexts, then a  warning  is  dis-
       played  but the file is still labeled based on the last matching speci-
       fication other than <<none>>.

	      The pathname for the root directory of each file	system	to  be
	      relabeled.  Not used if the -s option is used.

       This man page was written by Russell Coker <russell@coker.com.au>.  The
       program was written by Stephen Smalley <sds@epoch.ncsc.mil>

       load_policy(8), checkpolicy(8)

				  2002031409			   setfiles(8)