setfiles

Set SELinux file security contexts from policy

TLDR

Set file contexts according to the default policy

$ sudo setfiles /etc/selinux/targeted/contexts/files/file_contexts [path/to/directory]

Set file contexts recursively and show changes

$ sudo setfiles -v /etc/selinux/targeted/contexts/files/file_contexts [path/to/directory]

Preview changes without modifying contexts

$ sudo setfiles -n /etc/selinux/targeted/contexts/files/file_contexts [path/to/directory]

Force complete context replacement

$ sudo setfiles -F /etc/selinux/targeted/contexts/files/file_contexts [path/to/directory]

Use multiple threads for faster processing

$ sudo setfiles -T 4 /etc/selinux/targeted/contexts/files/file_contexts [path/to/directory]

Exclude a directory from relabeling

$ sudo setfiles -e [path/to/exclude] /etc/selinux/targeted/contexts/files/file_contexts [path/to/directory]

SYNOPSIS

setfiles [-cdlmnpsvFIUW] [-e dir] [-r rootpath] [-T nthreads] specfile pathname_...

setfiles initializes and corrects SELinux security context labels on filesystems based on pattern-to-context mappings in a specification file. It is the primary tool for relabeling files after SELinux policy changes or system installation.The specification file (typically /etc/selinux/targeted/contexts/files/file_contexts) contains regular expressions matched against file paths to determine appropriate security contexts. Unlike restorecon, setfiles requires an explicit specification file argument.

PARAMETERS

-c policy

Validate contexts against the specified binary policy file

-d

Show which specification matched each file (debug)

-e directory

Exclude directory from labeling (can be repeated)

-f infilename

Read list of files to process from a file

-F

Force complete context replacement including user, role, and range

-n

Dry run; show what would be changed without modifying

-p

Show progress as percentage or 1024-block increments

-r rootpath

Use alternate root path for context matching

-s

Log changes to syslog instead of stdout

-v

Verbose; show files whose labels are changed

-T nthreads

Number of threads to use (0 = number of CPU cores)

-I

Ignore stored directory digests; force label checking

-D

Set or update directory SHA1 digests in extended attributes

-W

Display warnings about entries that have no matching specification

-l

Log changes to the file named by the SETFILES_PROGRESS environment variable at 10-second intervals

CAVEATS

Requires SELinux to be enabled; on non-SELinux systems, the command has no effect. Relabeling large filesystems can be time-consuming. Using -F forces all context components to change, which may disrupt running services. The -n dry-run option should be used first on production systems.

HISTORY

setfiles is part of the SELinux policycoreutils package, developed alongside SELinux at the NSA (National Security Agency) starting in 2000. SELinux was merged into the Linux kernel mainline in 2003 with version 2.6. The tool has evolved to support multi-threading and digest-based optimization.