Google Git
Sign in
android / platform / external / selinux / 0db1ceb25e2795a469de4d73881a572520e1947f / . / policycoreutils / setfiles / setfiles.8
blob: bf26e161a71dcc5ca6454db171cd5e60ad32979b [file] [log] [blame]
.TH "setfiles" "8" "10 June 2016" "" "SELinux User Command"
.SH "NAME"
setfiles \- set SELinux file security contexts.
.SH "SYNOPSIS"
.B setfiles
.RB [ \-c
.IR policy ]
.RB [ \-C ]
.RB [ \-d ]
.RB [ \-l ]
.RB [ \-m ]
.RB [ \-n ]
.RB [ \-e
.IR directory ]
.RB [ \-E ]
.RB [ \-p ]
.RB [ \-s ]
.RB [ \-v ]
.RB [ \-W ]
.RB [ \-F ]
.RB [ \-I | \-D ]
.RB [ \-T
.IR nthreads ]
.I spec_file
.IR pathname \ ...
.SH "DESCRIPTION"
This manual page describes the
.BR setfiles
program.
.P
This program is primarily used to initialize the security context
fields (extended attributes) on one or more filesystems (or parts of
them). Usually it is initially run as part of the SELinux installation
process (a step commonly known as labeling).
.P
It can also be run at any other time to correct inconsistent labels, to add
support for newly-installed policy or, by using the
.B \-n
option, to passively
check whether the file contexts are all set as specified by the active policy
(default behavior) or by some other policy (see the
.B \-c
option).
.P
If a file object does not have a context,
.B setfiles
will write the default
context to the file object's extended attributes. If a file object has a
context,
.B setfiles
will only modify the type portion of the security context.
The
.B \-F
option will force a replacement of the entire context.
.SH "OPTIONS"
.TP
.B \-c
check the validity of the contexts against the specified binary policy.
.TP
.B \-C
If only relabeling errors are encountered during the file tree walks,
exit with status
.B 1
rather than
.BR 255 .
.TP
.B \-d
show what specification matched each file.
.TP
.BI \-e \ directory
directory to exclude (repeat option for more than one directory).
.TP
.BI \-E
treat conflicting specifications as errors, such as where two hardlinks for
the same inode have different contexts.
.TP
.BI \-f \ infilename
.I infilename
contains a list of files to be processed. Use
.RB \*(lq \- \*(rq
for
.BR stdin .
.TP
.B \-F
Force reset of context to match file_context for customizable files, and the
default file context, changing the user, role, range portion as well as the
type.
.TP
.B \-h, \-?
display usage information and exit.
.TP
.B \-i
ignore files that do not exist.
.TP
.B \-I
ignore digest to force checking of labels even if the stored SHA1 digest
matches the specfiles SHA1 digest. The digest will then be updated provided
there are no errors. See the
.B NOTES
section for further details.
.TP
.B \-D
Set or update any directory SHA1 digests. Use this option to
enable usage of the
.IR security.sehash
extended attribute.
.TP
.B \-l
log changes in file labels to syslog.
.TP
.B \-m
do not read
.B /proc/mounts
to obtain a list of non-seclabel mounts to be excluded from relabeling checks.
Setting this option is useful where there is a non-seclabel fs mounted with a
seclabel fs mounted on a directory below this.
.TP
.B \-n
don't change any file labels (passive check).
.TP
.BI \-o \ outfilename
Deprecated - This option is no longer supported.
.TP
.B \-p
show progress by printing the number of files in 1k blocks unless relabeling the entire
OS, that will then show the approximate percentage complete. Note that the
.B \-p
and
.B \-v
options are mutually exclusive.
.TP
.B \-q
Deprecated and replaced by \fB\-v\fR. Has no effect on other options or on program behavior.
.TP
.BI \-r \ rootpath
use an alternate root path. Used in meta-selinux for OpenEmbedded/Yocto builds
to label files under
.I rootpath
as if they were at
.B /
.TP
.B \-s
take a list of files from standard input instead of using a pathname from the
command line (equivalent to
.RB \*(lq "\-f \-" \*(rq
).
.TP
.B \-v
show changes in file labels and output any inode association parameters.
Note that the
.B \-v
and
.B \-p
options are mutually exclusive.
.TP
.B \-W
display warnings about entries that had no matching files by outputting the
.BR selabel_stats (3)
results.
.TP
.B \-0
the separator for the input items is assumed to be the null character
(instead of the white space). The quotes and the backslash characters are
also treated as normal characters that can form valid input.
This option finally also disables the end of file string, which is treated
like any other argument. Useful when input items might contain white space,
quote marks or backslashes. The
.B -print0
option of GNU
.B find
produces input suitable for this mode.
.TP
.BI \-T \ nthreads
use up to
.I nthreads
threads. Specify 0 to create as many threads as there are available
CPU cores; 1 to use only a single thread (default); or any positive
number to use the given number of threads (if possible).
.SH "ARGUMENTS"
.TP
.I spec_file
The specification file which contains lines of the following form:
.sp
.RS
.I regexp
.RI [ type ]
.IR context \ |
.B <<none>>
.RS
The regular expression is anchored at both ends. The optional
.I type
field specifies the file type as shown in the mode field by the
.BR ls (1)
program, e.g.
.B \-\-
to match only regular files or
.B \-d
to match only
directories. The
.I context
can be an ordinary security context or the
string
.B <<none>>
to specify that the file is not to have its context
changed.
.br
The last matching specification is used. If there are multiple hard
links to a file that match different specifications and those
specifications indicate different security contexts, then a warning is
displayed but the file is still labeled based on the last matching
specification other than
.BR <<none>> \|.
.RE
.RE
.TP
.IR pathname \ ...
The pathname for the root directory of each file system to be relabeled
or a specific directory within a filesystem that should be recursively
descended and relabeled or the pathname of a file that should be
relabeled.
Not used if the
.B \-f
or the
.B \-s
option is used.
.SH "EXIT STATUS"
.B setfiles
exits with status
.B 0
if it encounters no errors. Fatal errors result in status
.BR 255 .
Labeling errors encountered during file tree walk(s) result in status
.B 1
if the
.B -C
option is specified and no other kind of error is encountered, and in status
.B 255
otherwise.
.SH "NOTES"
.IP "1." 4
.B setfiles
operates recursively on directories. Paths leading up the final
component of the file(s) are not canonicalized before labeling.
.IP "2." 4
If the
.I pathname
specifies the root directory and the
.B \-v
option is set and the audit system is running, then an audit event is
automatically logged stating that a "mass relabel" took place using the
message label
.BR FS_RELABEL .
.IP "3." 4
To improve performance when relabeling file systems recursively
the
.B \-D
option to
.B setfiles
will cause it to store a SHA1 digest of the
.B spec_file
set in an extended attribute named
.IR security.sehash
on each directory specified in
.IR pathname \ ...
once the relabeling has been completed successfully. These digests will be
checked should
.B setfiles
.B \-D
be rerun
with the same
.I spec_file
and
.I pathname
parameters. See
.BR selinux_restorecon (3)
for further details.
.sp
The
.B \-I
option will ignore the SHA1 digest from each directory specified in
.IR pathname \ ...
and provided the
.B \-n
option is NOT set, files will be relabeled as required with the digests then
being updated provided there are no errors.
.SH "AUTHOR"
This man page was written by Russell Coker <russell@coker.com.au>.
The program was written by Stephen Smalley <sds@tycho.nsa.gov>
.SH "SEE ALSO"
.BR restorecon (8),
.BR load_policy (8),
.BR checkpolicy (8)