restorecon - restore file(s) default SELinux security contexts.
] [-e directory
This manual page describes the restorecon
This program is primarily used to set the security context (extended attributes)
on one or more files.
It can also be run at any other time to correct inconsistent labels, to add
support for newly-installed policy or, by using the -n
passively check whether the file contexts are all set as specified by the
active policy (default behavior).
If a file object does not have a context, restorecon
will write the
default context to the file object's extended attributes. If a file object has
a context, restorecon
will only modify the type portion of the security
context. The -F
option will force a replacement of the entire context.
It is the same executable as setfiles
but operates in a slightly
different manner depending on its argv.
- -e directory
- exclude a directory (repeat the option to exclude more than one directory,
Requires full path).
- -f infilename
- infilename contains a list of files to be processed. Use
“-” for stdin.
- Force reset of context to match file_context for customizable files, and
the default file context, changing the user, role, range portion as well
as the type.
- -h, -?
- display usage information and exit.
- ignore files that do not exist.
- ignore digest to force checking of labels even if the stored SHA1 digest
matches the specfiles SHA1 digest. The digest will then be updated
provided there are no errors. See the NOTES section for further
- Set or update any directory SHA1 digests. Use this option to enable usage
of the security.restorecon_last extended attribute.
- do not read /proc/mounts to obtain a list of non-seclabel mounts to
be excluded from relabeling checks. Setting this option is useful where
there is a non-seclabel fs mounted with a seclabel fs mounted on a
directory below this.
- don't change any file labels (passive check). To display the files whose
labels would be changed, add -v.
- -o outfilename
- Deprecated, SELinux policy will probably block this access. Use shell
redirection to save list of files with incorrect context in filename.
- show progress by printing * every 1000 files unless relabeling the entire
OS, that will then show the approximate percentage complete. Note that the
-p and -v options are mutually exclusive.
- -R, -r
- change files and directories file labels recursively (descend
- show changes in file labels. Note that the -v and -p options
are mutually exclusive.
- display warnings about entries that had no matching files by outputting
the selabel_stats(3) results.
- the separator for the input items is assumed to be the null character
(instead of the white space). The quotes and the backslash characters are
also treated as normal characters that can form valid input. This option
finally also disables the end of file string, which is treated like any
other argument. Useful when input items might contain white space, quote
marks or backslashes. The -print0 option of GNU find
produces input suitable for this mode.
... The pathname for the file(s) to be relabeled.
- restorecon does not follow symbolic links and by default it does
not operate recursively on directories.
- If the pathname specifies the root directory and the -vR or
-vr options are set and the audit system is running, then an audit
event is automatically logged stating that a "mass relabel" took
place using the message label FS_RELABEL.
- To improve performance when relabeling file systems recursively (i.e. the
-R or -r option is set), the -D option to
restorecon will cause it to store a SHA1 digest of the default
specfiles set in an extended attribute named
security.restorecon_last on the directory specified in each
pathname ... once the relabeling has been completed
successfully. This digest will be checked should restorecon
-D be rerun with the same pathname parameters. See
selinux_restorecon(3) for further details.
The -I option will ignore the SHA1 digest from each directory
specified in pathname ... and provided the -n option
is NOT set and recursive mode is set, files will be relabeled as required
with the digest then being updated provided there are no errors.
This man page was written by Dan Walsh <firstname.lastname@example.org>. Some of the
content of this man page was taken from the setfiles man page written by
Russell Coker <email@example.com>. The program was written by Dan