This manual page describes the setfiles program.
This program is primarily used to initialize the security context
fields (extended attributes) on one or more filesystems (or parts of
them). Usually it is initially run as part of the SELinux
installation process (a step commonly known as labeling).
It can also be run at any other time to correct inconsistent labels,
to add support for newly-installed policy or, by using the -n option,
to passively check whether the file contexts are all set as specified
by the active policy (default behavior) or by some other policy (see
the -c option).
If a file object does not have a context, setfiles will write the
default context to the file object's extended attributes. If a file
object has a context, setfiles will only modify the type portion of
the security context. The -F option will force a replacement of the
-c check the validity of the contexts against the specified
-d show what specification matched each file (do not abort
validation after ABORT_ON_ERRORS errors).
directory to exclude (repeat option for more than one
-f infilenameinfilename contains a list of files to be processed. Use “-”
-F Force reset of context to match file_context for customizable
files, and the default file context, changing the user, role,
range portion as well as the type.
-h, -? display usage information and exit.
-i ignore files that do not exist.
-I ignore digest to force checking of labels even if the stored
SHA1 digest matches the specfiles SHA1 digest. The digest will
then be updated provided there are no errors. See the NOTES
section for further details.
-D Set or update any directory SHA1 digests. Use this option to
enable usage of the security.restorecon_last extended
-l log changes in file labels to syslog.
-m do not read /proc/mounts to obtain a list of non-seclabel
mounts to be excluded from relabeling checks. Setting this
option is useful where there is a non-seclabel fs mounted with
a seclabel fs mounted on a directory below this.
-n don't change any file labels (passive check).
Deprecated - This option is no longer supported.
-p show progress by printing the number of files in 1k blocks
unless relabeling the entire OS, that will then show the
approximate percentage complete. Note that the -p and -v
options are mutually exclusive.
-q Deprecated, was only used to stop printing inode association
use an alternate root path. Used in meta-selinux for
OpenEmbedded/Yocto builds to label files under rootpath as if
they were at /-s take a list of files from standard input instead of using a
pathname from the command line (equivalent to “-f -” ).
-v show changes in file labels and output any inode association
parameters. Note that the -v and -p options are mutually
-W display warnings about entries that had no matching files by
outputting the selabel_stats(3) results.
-0 the separator for the input items is assumed to be the null
character (instead of the white space). The quotes and the
backslash characters are also treated as normal characters
that can form valid input. This option finally also disables
the end of file string, which is treated like any other
argument. Useful when input items might contain white space,
quote marks or backslashes. The -print0 option of GNU find
produces input suitable for this mode.
The specification file which contains lines of the following
regexp [type] context | <<none>>
The regular expression is anchored at both ends. The
optional type field specifies the file type as shown in
the mode field by the ls(1) program, e.g. -- to match
only regular files or -d to match only directories.
The context can be an ordinary security context or the
string <<none>> to specify that the file is not to have
its context changed.
The last matching specification is used. If there are
multiple hard links to a file that match different
specifications and those specifications indicate
different security contexts, then a warning is
displayed but the file is still labeled based on the
last matching specification other than <<none>>.
The pathname for the root directory of each file system to be
relabeled or a specific directory within a filesystem that
should be recursively descended and relabeled or the pathname
of a file that should be relabeled. Not used if the -f or the
-s option is used.
1. setfiles follows symbolic links and operates recursively on
2. If the pathname specifies the root directory and the -v option is
set and the audit system is running, then an audit event is
automatically logged stating that a "mass relabel" took place
using the message label FS_RELABEL.
3. To improve performance when relabeling file systems recursively
the -D option to setfiles will cause it to store a SHA1 digest of
the spec_file set in an extended attribute named
security.restorecon_last on the directory specified in each
pathname ... once the relabeling has been completed
successfully. This digest will be checked should setfiles -D be
rerun with the same spec_file and pathname parameters. See
selinux_restorecon(3) for further details.
The -I option will ignore the SHA1 digest from each directory
specified in pathname ... and provided the -n option is NOT set,
files will be relabeled as required with the digest then being
updated provided there are no errors.
This page is part of the selinux (Security-Enhanced Linux user-space
libraries and tools) project. Information about the project can be
found at ⟨https://github.com/SELinuxProject/selinux/wiki⟩. If you
have a bug report for this manual page, see
page was obtained from the project's upstream Git repository
⟨https://github.com/SELinuxProject/selinux⟩ on 2017-03-13. If you
discover any rendering problems in this HTML version of the page, or
you believe there is a better or more up-to-date source for the page,
or you have corrections or improvements to the information in this
COLOPHON (which is not part of the original manual page), send a mail
10 June 2016 setfiles(8)