System Administration Commands                       setfiles(1M)



NAME
     setfiles - assign FMAC  security  contexts  to  file  system
     objects

SYNOPSIS
     setfiles [ -dnqvW ] spec-file pathname ...


     setfiles -s filename ... spec-file


DESCRIPTION
     The setfiles command is used to  assign  flexible  mandatory
     access  control  (FMAC) contexts (labels) to the contents of
     file systems, specified by pathname. The specification file,
     spec-file,  contains specification entries that assign secu-
     rity contexts to particular files and directories. This com-
     mand is typically used to initially label the file system or
     to reset it to a known state.


     This command is similar to the setfilecon command, which  is
     used  to set a single security context on one or more files.
     The getfilecon command is used to show the context  for  one
     or more files. See the getfilecon(1M) man page.


     The file system must support labeling for the setfiles  com-
     mand to label its files and directories.


     Each specification entry has the following form:

       regexp [ type ] ( context | <<none>> )



         o    The regular expression, regexp, represents  a  file
              or directory to be labeled.

              By default, regexp  is  an  anchored  match,  which
              begins  with  a  caret character (^) and terminates
              with a dollar sign character ($). These  characters
              are  automatically  added.  Override  this  default
              behavior by using the .* characters at  the  begin-
              ning or end of the regular expression, or both.

         o    The optional type field specifies the file type  as
              shown  in  the  mode  field  by the ls command. For
              instance, specify -d to match only  directories  or
              -- to match only regular files.




SunOS 5.11        Last change: 4 September 2008                 1






System Administration Commands                       setfiles(1M)



         o    The context field specifies the security context to
              assign  to  the  file  or directory. If the context
              value is <<none>>, matching  files  are  not  rela-
              beled.


     The last matching specification is used.


     setfiles issues a warning when multiple hard links point  to
     a  file  matched by different specifications that apply dif-
     ferent security contexts. The file is still labeled based on
     the  last matching specification unless the <<none>> context
     is specified.

OPTIONS
     The setfiles command supports the following options.

     -d
         Shows the specification that matched each file.


     -n
         Prevents exisiting file labels from being changed.


     -q
         Enables quiet mode, which suppresses non-error output.


     -s
         Specifies the list of files to be labeled from  standard
         input.  This  option  cannot  be  used  if  the pathname
         operand is specified.


     -v
         Shows the changes to file labels.


     -W
         Issues warnings about  entries  that  have  no  matching
         file.


EXAMPLES
     Example 1 Setting Security Contexts on File System Objects





SunOS 5.11        Last change: 4 September 2008                 2






System Administration Commands                       setfiles(1M)



     This example shows how to use the setfiles  command  to  set
     security  contexts on file system objects. The specification
     file, file_contexts, includes specification entries that are
     used to assign contexts to particular files and directories.
     The example shows how the mount and awk commands are used to
     specify the ZFS file systems to label.


       $ setfiles -v file_contexts `mount -p | awk '/zfs/{print $3}'`




     The following file_contexts file fragment shows the contexts
     to  assign to files and directories in /bin, /var/spool, and
     /var/log:


       #
       # /bin
       #
       /bin(|/.*)                      system_u:object_r:bin_t
       /bin/login                      system_u:object_r:login_exec_t
       /bin/tcsh                       system_u:object_r:shell_exec_t
       /bin/bash                       system_u:object_r:shell_exec_t
       /bin/ash                        system_u:object_r:shell_exec_t
       /bin/su                         system_u:object_r:su_exec_t
       /bin/ls                         system_u:object_r:ls_exec_t

       #
       # /var/spool
       #
       /var/spool(|/.*)                system_u:object_r:var_spool_t
       /var/spool/at(|/.*)             system_u:object_r:at_spool_t
       /var/spool/cron(|/.*)           system_u:object_r:cron_spool_t
       /var/spool/lpd(|/.*)            system_u:object_r:lpd_spool_t
       /var/spool/mail(|/.*)           system_u:object_r:mail_spool_t
       /var/spool/mqueue(|/.*)         system_u:object_r:mqueue_spool_t

       #
       # /var/log
       #
       /var/log(|/.*)                  system_u:object_r:var_log_t
       /var/log/wtmp                   system_u:object_r:wtmp_t
       /var/log/sendmail.st            system_u:object_r:sendmail_var_log_t
       /var/log/cron                   system_u:object_r:cron_log_t



SEE ALSO
     getfilecon(1M), setfilecon(1M), fmac(5)




SunOS 5.11        Last change: 4 September 2008                 3