Provided by: policycoreutils_3.7-2_amd64
NAME
restorecon - restore file(s) default SELinux security contexts.
SYNOPSIS
restorecon [-r|-R] [-m] [-n] [-p] [-v] [-i] [-F] [-W] [-I|-D] [-x] [-e directory] pathname ... restorecon [-f infilename] [-e directory] [-r|-R] [-m] [-n] [-p] [-v] [-i] [-F] [-W] [-I|-D] [-x] [-T nthreads]
DESCRIPTION
This manual page describes the restorecon program. This program is primarily used to set the security context (extended attributes) on one or more files. It can also be run at any other time to correct inconsistent labels, to add support for newly-installed policy or, by using the -n option, to passively check whether the file contexts are all set as specified by the active policy (default behavior). If a file object does not have a context, restorecon will write the default context to the file object's extended attributes. If a file object has a context, restorecon will only modify the type portion of the security context. The -F option will force a replacement of the entire context. If a file is labeled with customizable SELinux type (for list of customizable types see /etc/selinux/{SELINUXTYPE}/contexts/customizable_types), restorecon won't reset the label unless the -F option is used. It is the same executable as setfiles but operates in a slightly different manner depending on its argv[0].
OPTIONS
-e directory exclude a directory (repeat the option to exclude more than one directory, Requires full path). -f infilename infilename contains a list of files to be processed. Use “-” for stdin. -F Force reset of context to match file_context for customizable files, and the default file context, changing the user, role, range portion as well as the type. -h, -? display usage information and exit. -i ignore files that do not exist. -I ignore digest to force checking of labels even if the stored SHA1 digest matches the specfiles SHA1 digest. The digest will then be updated provided there are no errors. See the NOTES section for further details. -D Set or update any directory SHA1 digests. Use this option to enable usage of the security.sehash extended attribute. -m do not read /proc/mounts to obtain a list of non-seclabel mounts to be excluded from relabeling checks. Setting this option is useful where there is a non- seclabel fs mounted with a seclabel fs mounted on a directory below this. -n don't change any file labels (passive check). To display the files whose labels would be changed, add -v. -o outfilename Deprecated - This option is no longer supported. -p show progress by printing the number of files in 1k blocks unless relabeling the entire OS, that will then show the approximate percentage complete. Note that the -p and -v options are mutually exclusive. -R, -r change files and directories file labels recursively (descend directories). -v show changes in file labels. Multiple -v options increase the verbosity. Note that the -v and -p options are mutually exclusive. -W display warnings about entries that had no matching files by outputting the selabel_stats(3) results. -0 the separator for the input items is assumed to be the null character (instead of the white space). The quotes and the backslash characters are also treated as normal characters that can form valid input. This option finally also disables the end of file string, which is treated like any other argument. Useful when input items might contain white space, quote marks or backslashes. The -print0 option of GNU find produces input suitable for this mode. -x prevent restorecon from crossing file system boundaries. -T nthreads use up to nthreads threads. Specify 0 to create as many threads as there are available CPU cores; 1 to use only a single thread (default); or any positive number to use the given number of threads (if possible). ARGUMENTS pathname ... The pathname for the file(s) to be relabeled.
NOTES
1. restorecon by default does not operate recursively on directories. Paths leading up the final component of the file(s) are canonicalized using realpath(3) before labeling. 2. If the pathname specifies the root directory and the -vR or -vr options are set and the audit system is running, then an audit event is automatically logged stating that a "mass relabel" took place using the message label FS_RELABEL. 3. To improve performance when relabeling file systems recursively (i.e. the -R or -r option is set), the -D option to restorecon will cause it to store a SHA1 digest of the default specfiles set in an extended attribute named security.sehash on each directory specified in pathname ... once the relabeling has been completed successfully. These digests will be checked should restorecon -D be rerun with the same pathname parameters. See selinux_restorecon(3) for further details. The -I option will ignore the SHA1 digest from each directory specified in pathname ... and provided the -n option is NOT set and recursive mode is set, files will be relabeled as required with the digests then being updated provided there are no errors.
EXAMPLE
Fix labeling of /var/www/ including all sub-directories and list all context changes # restorecon -rv /var/www/ List mislabeled files in user home directory and what the correct label should be # restorecon -nvr ~ Fix labeling of files listed in file_list file, ignoring any that do not exist # restorecon -vif file_list
AUTHOR
This man page was written by Dan Walsh <dwalsh@redhat.com>. Some of the content of this man page was taken from the setfiles man page written by Russell Coker <russell@coker.com.au>. The program was written by Dan Walsh <dwalsh@redhat.com>.
SEE ALSO
setfiles(8), fixfiles(8), load_policy(8), checkpolicy(8), customizable_types(5) 10 June 2016 restorecon(8)