setfiles

Set file contexts according to the default policy file

Set file contexts recursively and show changes
Preview what would be changed without actually modifying contexts
Set file contexts and verify them
Use a specific root path for context matching

setfiles [OPTIONS] PATHNAME ...
setfiles -B [OPTIONS] PATHNAME ...
setfiles -C
setfiles -V

-c policy
    Specify an alternate SELinux policy file to use instead of the system default.

-d
    Dump the contents of the file_contexts database to standard output.

-e exclude_pattern
    Exclude files or directories matching the specified regular expression pattern from processing.

-f input_file
    Read a list of pathnames to process from the specified input_file, one path per line.

-F
    Force a complete relabel, resetting the contexts of all files even if they appear to be correct.

-h
    Handle symbolic links; if a link points to a directory, restore the context of the directory it points to.

-i
    Ignore files that do not exist, preventing errors for missing paths specified in input.

-l login
    Use the specified SELinux login context for labelling files.

-n
    No action; perform a dry run. Display what would be done without actually changing any file contexts.

-o output_file
    Save the compiled contents of the file_contexts database to the specified output_file.

-P
    Do not use mmap for reading the file_contexts file, using standard file I/O instead.

-q
    Suppress error messages during operation.

-r root_dir
    Specify an alternate root_dir for the filesystem being relabelled, useful for chroot environments.

-R
    Recursively process directories. This is the default behavior when processing directories.

-s
    Suppress warning messages during operation.

-S
    Do not follow symbolic links. This is the default behavior.

-v
    Enable verbose output, showing details of files being processed and their context changes.

-W
    Display warnings, even if suppressed by -s.

-x
    Disable the use of xattr to store parent directory contexts, which can speed up the process.

-0
    When reading input from a file with -f, interpret NUL characters as path delimiters instead of newlines.

-B
    Used with PATHNAME, checks the binary file_contexts for errors without relabeling.

-C
    Compile the text file_contexts and file_contexts.local into a binary file_contexts.bin.

-V
    Display the version information of the setfiles utility.

The setfiles command is a crucial utility in the SELinux framework, designed to restore the default SELinux security contexts of files and directories on a filesystem. It accomplishes this by comparing the current contexts of files with the rules defined in the system's SELinux policy's file_contexts configuration. When a discrepancy is found, setfiles will correct the file's security label to match the policy.

This command is frequently used in various scenarios:

• After installing new software or moving files, which might result in incorrect or unlabelled contexts.
• Following an SELinux policy update, where existing file contexts might no longer align with the new rules.
• During system initialisation or a full relabel, especially when switching SELinux modes or after a major system upgrade.

While similar to restorecon, setfiles is generally a lower-level utility that offers more control, allowing for specific policy files or different root directories. It's an indispensable tool for maintaining the integrity and security of an SELinux-enabled system.

• Root Privileges: setfiles typically requires root privileges to modify file contexts on the filesystem.
• Time Consuming: On large filesystems, a full relabel (especially with -F) can take a significant amount of time and system resources.
• Policy Dependency: The correct functioning of setfiles is entirely dependent on having an up-to-date and accurate SELinux policy, specifically the file_contexts definitions.
• Risk of Misconfiguration: Incorrect usage or an erroneous policy can lead to files having the wrong contexts, potentially breaking applications or system functionality. Always perform a dry run (-n) before making widespread changes.

setfiles determines the correct security context for a file by matching its absolute path against regular expressions defined in the file_contexts configuration file (or its compiled binary form). These rules specify the default user, role, type, and sensitivity level for different files and directories across the filesystem. The most specific matching rule takes precedence, ensuring that even intricate context requirements can be met.

When performing a system-wide relabel, setfiles traverses the entire filesystem, accessing metadata for each file and directory. This intensive I/O operation can significantly impact system performance. Using options like -x (to disable xattr lookups for parent contexts) can sometimes offer minor performance improvements, but careful planning and execution during off-peak hours are recommended for large-scale operations.

SELinux was initially developed by the National Security Agency (NSA) and released to the open-source community in 2000, eventually being integrated into the Linux kernel in 2003. As a core component of the SELinux userspace utilities, setfiles has been an integral part of managing file security contexts since the early days of SELinux adoption. Its functionality has evolved alongside the SELinux policy language and kernel modules, becoming a robust tool for system administrators to maintain the mandatory access control integrity of their systems.

restorecon(8), chcon(1), semanage(8), fixfiles(8), ls(1)