selinux/policycoreutils/scripts/fixfiles.8

.TH "fixfiles" "8" "2002031409" "" ""
.SH "NAME"
fixfiles \- fix file SELinux security contexts.

.SH "SYNOPSIS"
.na

.B fixfiles
.I [\-v] [\-F] [-M] [\-f] [\-T nthreads] relabel

.B fixfiles
.I [\-v] [\-F] [\-T nthreads] { check | restore | verify } dir/file ...

.B fixfiles
.I [\-v] [\-F] [\-B | \-N time ] [\-T nthreads] { check | restore | verify }

.B fixfiles
.I [\-v] [\-F] [\-T nthreads] \-R rpmpackagename[,rpmpackagename...] { check | restore | verify }

.B fixfiles
.I [\-v] [\-F] [\-T nthreads] \-C PREVIOUS_FILECONTEXT  { check | restore | verify }

.B fixfiles
.I [-F] [-M] [-B] [\-T nthreads] onboot

.ad

.SH "DESCRIPTION"
This manual page describes the
.BR fixfiles
script.
.P
This script is primarily used to correct the security context
database (extended attributes) on filesystems.
.P
It can also be run at any time to relabel when adding support for
new policy, or  just check whether the file contexts are all
as you expect.  By default it will relabel all mounted ext2, ext3, ext4, gfs2, xfs,
jfs and btrfs file systems as long as they do not have a security context mount
option.  You can use the \-R flag to use rpmpackages as an alternative.
The file /etc/selinux/fixfiles_exclude_dirs can contain a list of directories
excluded from relabeling.
.P
.B fixfiles onboot
will setup the machine to relabel on the next reboot.

.SH "OPTIONS"
.TP
.B \-B
If specified with onboot, this fixfiles will record the current date in the /.autorelabel file, so that it can be used later to speed up labeling. If used with restore, the restore will only affect files that were modified today.
.TP
.B \-F
Force reset of context to match file_context for customizable files

.TP
.B \-f
Clear /tmp directory with out prompt for removal.

.TP
.B \-R rpmpackagename[,rpmpackagename...]
Use the rpm database to discover all files within the specified packages and restore the file contexts.
.TP
.B \-C PREVIOUS_FILECONTEXT
Run a diff on  the PREVIOUS_FILECONTEXT file to the currently installed one, and restore the context of all affected files.

.TP
.B \-N time
Only act on files created after the specified date.  Date must be specified in
"YYYY\-MM\-DD HH:MM" format.  Date field will be passed to find \-\-newermt command.

.TP
.B \-M
Bind mount filesystems before relabeling them, this allows fixing the context of files or directories that have been mounted over.

.TP
.B -v
Modify verbosity from progress to verbose. (Run restorecon with \-v instead of \-p)

.TP
.B \-T nthreads
Use parallel relabeling, see
.B setfiles(8)

.SH "ARGUMENTS"
One of:
.TP
.B check | verify
print any incorrect file context labels, showing old and new context, but do not change them.
.TP
.B restore
change any incorrect file context labels.
.TP
.B relabel
Prompt for removal of contents of /tmp directory and then change any incorrect file context labels to match the install file_contexts file.
.TP
.B [[dir/file] ... ]
List of files or directories trees that you wish to check file context on.

.SH EXAMPLE
.nf
Relabel the whole filesystem, except paths listed in /etc/selinux/fixfiles_exclude_dirs
# fixfiles relabel
Schedule the machine to relabel on the next boot and force relabeling of customizable types
# fixfiles -F onboot
Check labeling of all files from the samba package (while not changing any labels)
# fixfiles -R samba check

.SH "AUTHOR"
This man page was written by Richard Hally <rhally@mindspring.com>.
The script  was written by Dan Walsh <dwalsh@redhat.com>

.SH "SEE ALSO"
.BR setfiles (8),
.BR restorecon (8)