fixfiles

If specified with onboot, this fixfiles will record the current date in the /.autorelabel file, so that it can be used later to speed up labeling. If used with restore, the restore will only affect files that were modified today

$ fixfiles -B

$ fixfiles -F

$ fixfiles -f

$ fixfiles -R [rpm_package1,rpm_package2 ...]

$ fixfiles -C PREVIOUS_FILECONTEXT

$ fixfiles -N [YYYY-MM-DD HH:MM]

$ fixfiles -M

$ fixfiles -v

fixfiles [options] {restore|relabel|verify|-R} [pathname...]

-F
    Force relabeling, even if the context appears correct. This overrides the default behavior of not relabeling if the context is already correct.

-f
    Equivalent to -F; force relabeling even if the context appears correct.

-l logfile
    Log all file context changes and errors to the specified logfile, providing a record of the relabeling process.

-N
    Perform a dry run; do not actually relabel any files, just show what would be done. This is useful for previewing changes without modifying the filesystem.

-o
    Optimize relabeling by sorting files by context and size. This can potentially speed up the process on large filesystems by reducing disk seeking.

-q
    Operate in quiet mode, suppressing most output unless an error occurs. Only critical messages or errors will be displayed.

-r rootdir
    Specify an alternate root directory for relabeling. This is useful when relabeling a chrooted environment or an unmounted filesystem.

-R
    A specific mode used primarily in conjunction with the /.autorelabel mechanism to indicate a full system relabel on the next boot.

-v
    Enable verbose output, showing more details about the relabeling process, including each file that is checked or modified.

-X
    Skip excluded files or directories. This option respects exclusions defined in SELinux configuration files like file_contexts.local, preventing unnecessary relabeling of user-defined exceptions.

restore
    The primary operation mode to relabel files to their default SELinux contexts based on the active policy. This is the default action if no mode is specified.

relabel
    An alias for the restore mode, performing the same operation of applying default SELinux contexts.

verify
    Check file contexts without changing them, reporting any discrepancies between the current context and the expected context from the policy.

pathname...
    One or more paths to specific files or directories to relabel recursively. If no pathnames are provided, fixfiles will attempt to relabel the entire filesystem.

fixfiles is a script that restores the default SELinux file security contexts on a Linux system. It's an essential tool for maintaining the integrity and security of SELinux-enabled environments. The command typically reads the SELinux policy's file_contexts database to determine the correct security context for each file and directory, then applies these contexts. This is crucial after installing new software, restoring backups, migrating systems, or if file contexts become corrupted or incorrect due to manual changes or errors. fixfiles automates the process of relabeling, preventing permission denied errors and ensuring applications and services can operate correctly under SELinux enforcement. While powerful, its execution on large filesystems can be time-consuming. It often leverages the restorecon utility internally.

Requires SELinux to be enabled and a policy loaded. Full system relabeling can be a lengthy process, potentially hours on large filesystems, and should ideally be done during a maintenance window. Incorrect or incomplete SELinux policies can lead to system instability or boot failures if contexts are applied incorrectly. Always ensure your SELinux policy is up-to-date and appropriate for your system before a full relabel.

The command derives the correct SELinux contexts from the system's active SELinux policy, specifically from the file_contexts files (e.g., policy/policy.version/contexts/files/file_contexts). These files map paths to their intended SELinux types.

To force a full system relabel on the next boot, create an empty file named /.autorelabel in the root directory. On the subsequent boot, the system will execute fixfiles -R (or similar logic) to relabel the entire filesystem, after which the /.autorelabel file is removed.

Part of the selinux-policy project, fixfiles emerged as a necessary utility for managing SELinux file contexts since the early days of SELinux integration into mainstream Linux distributions. It serves as a user-friendly wrapper around lower-level tools like restorecon, automating the relabeling process essential for maintaining system security and stability in SELinux environments.

restorecon(8), setfiles(8), semanage(8), chcon(1), ls(1) -Z