semanage-fcontext

List all file labelling rules

$ sudo semanage fcontext [[-l|--list]]

$ sudo semanage fcontext [[-l|--list]] [[-C|--locallist]] [[-n|--noheading]]

$ sudo semanage fcontext [[-a|--add]] [[-t|--type]] [samba_share_t] ['/mnt/share(/.*)?']

$ sudo semanage fcontext [[-d|--delete]] ['/mnt/share(/.*)?']

$ restorecon -R -v [path/to/directory]

semanage fcontext -a | -d | -m [options] file_regexp
semanage fcontext -l [options]
semanage fcontext -D | -E

-a
    Add a new file context mapping rule.

-d
    Delete an existing file context mapping rule.

-m
    Modify an existing file context mapping rule.

-l
    List all active file context mapping rules.

-f
    Specify the file type for the context. Common types include 'a' (all files), 'd' (directories), 'f' (regular files), 'l' (symbolic links), etc. Use -- -f 'type' to avoid conflicts with other options.

-t
    Set the SELinux type component of the context (e.g., 'httpd_sys_content_t').

-r
    Set the SELinux role component of the context.

-u
    Set the SELinux user component of the context.


    The regular expression describing the file path(s) to which the context mapping applies (e.g., '/var/www(/.*)?').

-P
    When used with -l, lists file context mappings from the policy file, not the active policy. Does not apply changes directly.

-n
    When used with -l, prevents numeric UID/GID resolution to names.

-C
    When used with -l, lists only local customizations (user-added rules), excluding default policy rules.

-D
    Delete all local file context customizations added by the administrator.

-E
    Reset all file contexts to their default policy values, effectively removing all local customizations and applying the base policy.

semanage-fcontext is a subcommand of semanage used to manage the mapping of file paths to SELinux contexts. It allows administrators to add, modify, or delete rules that define what SELinux context a file or directory should have based on its path. These rules are stored in the SELinux policy and are used by restorecon (or restorecon -R) to apply the correct contexts to files on the filesystem. This is crucial for maintaining proper security boundaries in SELinux-enabled systems. When a new application is installed or custom directories are created, semanage-fcontext is often used to ensure files within those locations receive the appropriate security labels, thus preventing "permission denied" errors related to SELinux. Without correct file contexts, applications might fail to operate or expose security vulnerabilities.

Changes made with semanage fcontext -a/-d/-m are stored in the local policy store but typically require semanage apply or semanage commit to be activated in the running policy. After activation, restorecon -R must be run on affected paths to apply the new contexts to files on disk.
Incorrect regular expressions or contexts can lead to SELinux denials or reduce security.
The file_regexp is a regular expression, so special characters like '.', '*', '?', '+', '(', ')', '[', ']', '|', '^', '$' must be escaped if literal interpretation is needed.

semanage fcontext manages rules in the local SELinux policy store (e.g., /etc/selinux/targeted/modules/active/file_contexts.local), which override or supplement the base policy rules (file_contexts).

After adding/modifying rules with semanage fcontext, run semanage apply to commit the changes to the active policy, then restorecon -Rv /path/to/files to relabel files on the filesystem.

Understanding regular expressions is critical for effective use of the file_regexp argument. Incorrect regex can lead to unintended labeling or failure to label desired files, potentially causing SELinux denials.

semanage and its subcommands, including fcontext, are part of the policycoreutils package, essential for managing SELinux. SELinux itself was initially developed by the NSA and integrated into the Linux kernel around 2000. semanage was developed as a more user-friendly way to manage persistent SELinux policy customizations, replacing direct interaction with policy source files or low-level tools for common tasks. The fcontext subcommand specifically addresses the critical need to manage file labeling rules persistently, which is a common administrative task in SELinux environments. Its evolution has focused on simplifying the syntax and providing clearer separation between default policy and local customizations.

semanage(8), restorecon(8), chcon(1), semanage-boolean(8), semanage-port(8)