Provided by: policycoreutils-python-utils_3.4-1_all bug

NAME
       semanage-fcontext - SELinux Policy Management file context tool


SYNOPSIS
       semanage  fcontext [-h] [-n] [-N] [-S STORE] [ --add ( -t TYPE -f FTYPE -r RANGE -s SEUSER
       | -e EQUAL ) FILE_SPEC | --delete ( -t TYPE -f FTYPE | -e EQUAL ) FILE_SPEC |  --deleteall
       |  --extract  |  --list [-C] | --modify ( -t TYPE -f FTYPE -r RANGE -s SEUSER | -e EQUAL )
       FILE_SPEC ]


DESCRIPTION
       semanage is used to  configure  certain  elements  of  SELinux  policy  without  requiring
       modification  to  or  recompilation  from  policy  sources.   semanage fcontext is used to
       manage the default file system labeling on an SELinux  system.   This  command  maps  file
       paths using regular expressions to SELinux labels.

       FILE_SPEC  may  contain  either  a  fully  qualified  path,  or  a Perl compatible regular
       expression (PCRE), describing fully qualified path(s).  The  only  PCRE  flag  in  use  is
       PCRE2_DOTALL,  which  causes  a  wildcard  '.'  to  match  anything, including a new line.
       Strings representing paths are processed as bytes (as opposed to  Unicode),  meaning  that
       non-ASCII characters are not matched by a single wildcard.

       Note,  that  file context definitions specified using 'semanage fcontext' (i.e. local file
       context modifications stored in  file_contexts.local)  have  higher  priority  than  those
       specified  in  policy  modules.   This  means that whenever a match for given file path is
       found in file_contexts.local, no other file context definitions are  considered.   Entries
       in  file_contexts.local are processed from most recent one to the oldest, with first match
       being used (as opposed to the most specific match, which is used when matching other  file
       context  definitions).   All  regular  expressions  should  therefore  be  as  specific as
       possible, to avoid unintentionally impacting other parts of the filesystem.


OPTIONS
       -h, --help
              show this help message and exit

       -n, --noheading
              Do not print heading when listing the specified object type

       -N, --noreload
              Do not reload policy after commit

       -C, --locallist
              List local customizations

       -S STORE, --store STORE
              Select an alternate SELinux Policy Store to manage

       -a, --add
              Add a record of the specified object type

       -d, --delete
              Delete a record of the specified object type

       -m, --modify
              Modify a record of the specified object type

       -l, --list
              List records of the specified object type

       -E, --extract
              Extract customizable commands, for use within a transaction

       -D, --deleteall
              Remove all local customizations

       -e EQUAL, --equal EQUAL
              Substitute target path with sourcepath when generating default label. This is  used
              with  fcontext. Requires source and target path arguments. The context labeling for
              the target subtree is made equivalent to that defined for the source.

       -f [{a,f,d,c,b,s,l,p}], --ftype [{a,f,d,c,b,s,l,p}]
              File Type. This is used with fcontext. Requires a file type as shown  in  the  mode
              field  by  ls,  e.g. use 'd' to match only directories or 'f' to match only regular
              files.  The  following  file  type  options  can  be  passed:  f  (regular  file),d
              (directory),c  (character  device), b (block device),s (socket),l (symbolic link),p
              (named pipe).  If you do not specify a file type, the file  type  will  default  to
              "all files".

       -s SEUSER, --seuser SEUSER
              SELinux user name

       -t TYPE, --type TYPE
              SELinux Type for the object

       -r RANGE, --range RANGE
              MLS/MCS  Security  Range  (MLS/MCS  Systems  only)  SELinux Range for SELinux login
              mapping defaults to the SELinux user record range. SELinux Range for  SELinux  user
              defaults to s0.


EXAMPLE
       remember to run restorecon after you set the file context
       Add file-context for everything under /web
       # semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
       # restorecon -R -v /web

       Substitute /home1 with /home when setting file context
       # semanage fcontext -a -e /home /home1
       # restorecon -R -v /home1

       For home directories under top level directory, for example /disk6/home,
       execute the following commands.
       # semanage fcontext -a -t home_root_t "/disk6"
       # semanage fcontext -a -e /home /disk6/home
       # restorecon -R -v /disk6


SEE ALSO
       selinux(8), semanage(8)


AUTHOR
       This man page was written by Daniel Walsh <dwalsh@redhat.com>

                                             20130617                        semanage-fcontext(8)