file_contexts.subs - Linux

Overview

file_contexts.subs is a command-line tool used for managing supplementary file context definitions in SELinux. It allows users to create, modify, and delete extra file contexts beyond those provided by the base policy or other modules. By defining custom contexts, administrators can enforce more granular access control over specific files or directories.

Syntax

file_contexts.subs [-M] [-n] [-e] [-a] [-c] [-v] [-f FILE]

Options/Flags

-M [module-name] – Specify the SELinux policy module to manage file contexts.
-n – Print (but do not commit) any changes.
-e – Remove all file contexts from the specified module.
-a – Append file contexts to the specified module (instead of overwriting).
-c – Check for errors in the specified file but do not perform any operations.
-v – Enable verbose mode to display more detailed output.
-f FILE – Specify a file containing file context definitions.

Examples

Create a new file context:

file_contexts.subs -M mymodule -a -- create /my/file user_u:object_r:myfile_t:s0

Delete an existing file context:

file_contexts.subs -M mymodule -e -- /my/file

Print all file contexts from a module:

file_contexts.subs -M mymodule

Common Issues

Error: Invalid context

The specified file context is not valid. Ensure that the context is properly formatted and adheres to SELinux syntax guidelines.

Error: Module does not exist

The specified SELinux policy module does not exist. Verify that the module is installed and loaded in the kernel.

Integration

file_contexts.subs can be combined with other SELinux tools, such as chcon and restorecon, to manage file contexts across the system. For example, the following command can recursively change the context of a directory and all its contents:

find /my/directory -exec chcon -t my_new_context {} +

Related Commands

semanage fcontext – Manage file contexts in SELinux (alternative tool)
chcon – Change the file context of a file or directory
restorecon – Restore file contexts based on file labels