установить контексты безопасности файлов SELinux (set SELinux file security contexts.)
Имя (Name)
setfiles - set SELinux file security contexts.
Синопсис (Synopsis)
setfiles [-c policy] [-d] [-l] [-m] [-n] [-e directory] [-E] [-p]
[-s] [-v] [-W] [-F] [-I|-D] spec_file pathname ...
Описание (Description)
This manual page describes the setfiles program.
This program is primarily used to initialize the security context
fields (extended attributes) on one or more filesystems (or parts
of them). Usually it is initially run as part of the SELinux
installation process (a step commonly known as labeling).
It can also be run at any other time to correct inconsistent
labels, to add support for newly-installed policy or, by using
the -n option, to passively check whether the file contexts are
all set as specified by the active policy (default behavior) or
by some other policy (see the -c option).
If a file object does not have a context, setfiles will write the
default context to the file object's extended attributes. If a
file object has a context, setfiles will only modify the type
portion of the security context. The -F option will force a
replacement of the entire context.
Параметры (Options)
-c check the validity of the contexts against the specified
binary policy.
-d show what specification matched each file.
-e directory
directory to exclude (repeat option for more than one
directory).
-E treat conflicting specifications as errors, such as where
two hardlinks for the same inode have different contexts.
-f infilename
infilename contains a list of files to be processed. Use
'-' for stdin.
-F Force reset of context to match file_context for
customizable files, and the default file context, changing
the user, role, range portion as well as the type.
-h, -? display usage information and exit.
-i ignore files that do not exist.
-I ignore digest to force checking of labels even if the
stored SHA1 digest matches the specfiles SHA1 digest. The
digest will then be updated provided there are no errors.
See the NOTES section for further details.
-D Set or update any directory SHA1 digests. Use this option
to enable usage of the security.sehash extended attribute.
-l log changes in file labels to syslog.
-m do not read /proc/mounts to obtain a list of non-seclabel
mounts to be excluded from relabeling checks. Setting
this option is useful where there is a non-seclabel fs
mounted with a seclabel fs mounted on a directory below
this.
-n don't change any file labels (passive check).
-o outfilename
Deprecated - This option is no longer supported.
-p show progress by printing the number of files in 1k blocks
unless relabeling the entire OS, that will then show the
approximate percentage complete. Note that the -p and -v
options are mutually exclusive.
-q Deprecated, was only used to stop printing inode
association parameters.
-r rootpath
use an alternate root path. Used in meta-selinux for
OpenEmbedded/Yocto builds to label files under rootpath as
if they were at /
-s take a list of files from standard input instead of using
a pathname from the command line (equivalent to '-f -' ).
-v show changes in file labels and output any inode
association parameters. Note that the -v and -p options
are mutually exclusive.
-W display warnings about entries that had no matching files
by outputting the selabel_stats(3) results.
-0 the separator for the input items is assumed to be the
null character (instead of the white space). The quotes
and the backslash characters are also treated as normal
characters that can form valid input. This option finally
also disables the end of file string, which is treated
like any other argument. Useful when input items might
contain white space, quote marks or backslashes. The
-print0 option of GNU find produces input suitable for
this mode.
Аргументы (Arguments)
spec_file
The specification file which contains lines of the
following form:
regexp [type] context | <<none>>
The regular expression is anchored at both ends.
The optional type field specifies the file type as
shown in the mode field by the ls(1) program, e.g.
-- to match only regular files or -d to match only
directories. The context can be an ordinary
security context or the string <<none>> to specify
that the file is not to have its context changed.
The last matching specification is used. If there
are multiple hard links to a file that match
different specifications and those specifications
indicate different security contexts, then a
warning is displayed but the file is still labeled
based on the last matching specification other than
<<none>>.
pathname ...
The pathname for the root directory of each file system to
be relabeled or a specific directory within a filesystem
that should be recursively descended and relabeled or the
pathname of a file that should be relabeled. Not used if
the -f or the -s option is used.
Примечание (Note)
1. setfiles operates recursively on directories. Paths leading
up the final component of the file(s) are not canonicalized
before labeling.
2. If the pathname specifies the root directory and the -v
option is set and the audit system is running, then an audit
event is automatically logged stating that a "mass relabel"
took place using the message label FS_RELABEL.
3. To improve performance when relabeling file systems
recursively the -D option to setfiles will cause it to store
a SHA1 digest of the spec_file set in an extended attribute
named security.sehash on each directory specified in
pathname ... once the relabeling has been completed
successfully. These digests will be checked should setfiles
-D be rerun with the same spec_file and pathname parameters.
See selinux_restorecon(3) for further details.
The -I option will ignore the SHA1 digest from each directory
specified in pathname ... and provided the -n option is NOT
set, files will be relabeled as required with the digests
then being updated provided there are no errors.
