LinuxCommandLibrary

fixfiles

Fix file SELinux security contexts

TLDR

If specified with onboot, this fixfiles will record the current date in the /.autorelabel file, so that it can be used later to speed up labeling. If used with restore, the restore will only affect files that were modified today

$ fixfiles -B
copy

[F]orce reset of context to match file_context for customizable files
$ fixfiles -F
copy

Clear /tmp directory without confirmation
$ fixfiles -f
copy

Use the [R]pm database to discover all files within specific packages and restore the file contexts
$ fixfiles -R [rpm_package1,rpm_package2 ...]
copy

Run a diff on the PREVIOUS_FILECONTEXT file to the [C]urrently installed one, and restore the context of all affected files
$ fixfiles -C PREVIOUS_FILECONTEXT
copy

Only act on files created after a specific date which will be passed to find --newermt command
$ fixfiles -N [YYYY-MM-DD HH:MM]
copy

Bind [M]ount filesystems before relabeling them, this allows fixing the context of files or directories that have been mounted over
$ fixfiles -M
copy

Modify [v]erbosity from progress to verbose and run restorecon with -v instead of -p
$ fixfiles -v
copy

SYNOPSIS

fixfiles [options] [pathnames] | onboot | check | restore

PARAMETERS

-h, --help
    Display usage help and exit

-V, --version
    Output version information and exit

-v, --verbose
    Enable verbose logging

-C, --compareonly
    List mismatches without relabeling

-F, --fileonly
    Relabel files only, skip directories

-l LOGFILE, --logfile=LOGFILE
    Append changes to specified log file

-r, --relabelonly
    Relabel without creating restore markers

-R, --recursive
    Recurse into subdirectories

-f FILE, --filelist=FILE
    Relabel paths listed in FILE

-s, --nosquash
    Skip special handling of /tmp, /var/tmp

-W, --world-writable
    Relabel world-writable files in tmp dirs

-B, --backup
    Backup files prior to relabeling

-o FILE, --output=FILE
    Write relabeled list to FILE

-x, --relabel-to-default
    Force default context relabeling

-Z, --relabelall
    Relabel all files, ignore current labels

-z, --relabeltodf
    Relabel only if differs from default

DESCRIPTION

fixfiles is a Linux utility for SELinux-enabled systems that resets security contexts (labels) on files and directories to match the current policy. SELinux uses these labels for mandatory access control; mismatches can cause denials or security issues.

Common triggers include policy updates, backups restores, filesystem mounts, or RPM transactions. Without arguments, it targets key areas: /, /tmp, /var/tmp, /var/log, /dev, /usr/tmp, using file_contexts and file_contexts.local to generate lists via genfilecon, then applies via restorecon.

Supports recursive scans, dry-runs (-C), file lists (-f), logging (-l), and modes like onboot (creates /.autorelabel for boot fix), check (verify need), restore (full restorecon). Requires root for changes; verbose output with -v.

Ideal post-policy load or troubleshooting AVC denials. Always check with -C first to preview impacts.

CAVEATS

Requires root privileges for relabeling. Extremely slow on large filesystems (hours possible). Use -C to preview. SELinux must be enforcing/enabled; creates /.autorelabel for boot relabel if needed.

EXAMPLES

fixfiles -F /home - Relabel /home files only
fixfiles -C /var - Check /var mismatches
fixfiles onboot - Schedule full boot relabel
fixfiles check - Verify if relabel needed

DEFAULT BEHAVIOR

No path: relabels /, /tmp, /var/tmp, /var/log, /dev, /usr/tmp using file_contexts*

HISTORY

Developed by NSA for SELinux (ca. 2000); integrated into RHEL 4/Fedora Core 3 (2005) via policycoreutils. Evolved with policy-local expansions and onboot support in later RHEL/Fedora releases.

SEE ALSO

restorecon(8), setfiles(8), semanage(8), load_policy(8), selinuxenabled(8)

Copied to clipboard