semanage-fcontext(8)semanage-fcontext(8)NAME
semanage fcontext- SELinux Policy Management file context tool
SYNOPSIS
semanage fcontext [-h] [-n] [-N] [-s STORE] [ --add ( -t TYPE -f FTYPE
-r RANGE -s SEUSER | -e EQUAL ) FILE_SPEC ) | --delete ( -t TYPE -f
FTYPE | -e EQUAL ) FILE_SPEC ) | --deleteall | --extract | --list -C |
--modify ( -t TYPE -f FTYPE -r RANGE -s SEUSER | -e EQUAL ) FILE_SPEC )
]
DESCRIPTION
semanage is used to configure certain elements of SELinux policy with‐
out requiring modification to or recompilation from policy sources.
semanage fcontext is used to manage the default file system labeling
on an SELinux system. This command maps file paths using regular
expressions to SELinux labels.
OPTIONS-h, --help
show this help message and exit
-n, --noheading
Do not print heading when listing the specified object type
-N, --noreload
Do not reload policy after commit
-C, --locallist
List OBJECTS local customizations
-S STORE, --store STORE
Select an alternate SELinux Policy Store to manage
-a, --add
Add a record of the specified object type
-d, --delete
Delete a record of the specified object type
-m, --modify
Modify a record of the specified object type
-l, --list
List records of the specified object type
-E, --extract
Extract customizable commands, for use within a transaction
-D, --deleteall
Remove all OBJECTS local customizations
-e EQUAL, --equal EQUAL
Substitute target path with sourcepath when generating default
label. This is used with fcontext. Requires source and target
path arguments. The context labeling for the target subtree is
made equivalent to that defined for the source.
-f [{"",--,-d,-c,-b,-s,-l,-p}], --ftype [{"",--,-d,-c,-b,-s,-l,-p}]
File Type. This is used with fcontext. Requires a file type as
shown in the mode field by ls, e.g. use -d to match only direc‐
tories or -- to match only regular files. The following file
type options can be passed: "" (all files),-- (regular file),-d
(directory),-c (character device), -b (block device),-s
(socket),-l (symbolic link),-p (named pipe)
-s SEUSER, --seuser SEUSER
SELinux user name
-t TYPE, --type TYPE
SELinux Type for the object
-r RANGE, --range RANGE
MLS/MCS Security Range (MLS/MCS Systems only) SELinux Range for
SELinux login mapping defaults to the SELinux user record range.
SELinux Range for SELinux user defaults to s0.
EXAMPLE
remember to run restorecon after you set the file context
Add file-context for everything under /web
# semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
# restorecon -R -v /web
Substitute /home1 with /home when setting file context
# semanage fcontext -a -e /home /home1
# restorecon -R -v /home1
For home directories under top level directory, for example /disk6/home,
execute the following commands.
# semanage fcontext -a -t home_root_t "/disk6"
# semanage fcontext -a -e /home /disk6/home
# restorecon -R -v /disk6
SEE ALSO
selinux (8), semanage (8)
AUTHOR
This man page was written by Daniel Walsh <dwalsh@redhat.com>
20130617 semanage-fcontext(8)
