
fixfiles Command in Linux
The fixfiles command in Linux checks and corrects the security context of a file on a system. It is a part of SELinux (Security Enhanced Linux) toolset. It can relabel all the mounted filesystems such as ext2, ext3, ext4, xfs, jfs, and btrfs as long as they do not have any security context mount point.
The /etc/selinux/fixfiles_exclude_dirs file is used to specify the list of directories to exclude from relabeling.
Table of Contents
Here is a comprehensive guide to the options available with the fixfiles command −
- Prerequisites to Use fixfiles Command
- Syntax of fixfiles Command
- Options of fixfiles Command
- Arguments of fixfiles Command
- Examples of fixfiles Command in Linux
Prerequisites to Use fixfiles Command
To use the fixfiles on Linux, SELinux must be installed. In various Linux distributions such as Ubuntu, the AppArmor is the default Linux Security Module (LSM). SELinux is also a type of LSM. Linux only allows one LSM at a time. To use SELinux as LSM, the AppArmor must first be disabled.
To disable AppArmor, use the command given below −
sudo systemctl stop apparmor.service sudo systemctl disable apparmor.service
Verify it by checking the status −
sudo systemctl status apparmor.service

Now, install the SELinux using the command given below −
sudo apt install policycoreutils selinux-basics selinux-utils
To activate the SELinux, use the following command −
sudo selinux-activate
Now, reboot the system −
sudo reboot
To verify, use the command given below −
getenforce

The output will indicate either Enforcing, Permissive, or Disabled.
Now, check the status, using the command mentioned below −
sestatus

The output shows that the SELinux has been enabled.
To verify if fixfiles is installed, use the following command −
which fixfiles

If the output shows the path to the fixfiles binary, then the command is installed and ready to use.
Syntax of fixfiles Command
The syntax of the Linux fixfiles command is as follows −
fixfiles [options] [arguments] [directory/file]
The [options] field is used to specify the options to modify the command’s behavior. The [arguments] field is used to specify the fixfiles arguments such as verify, check, or restore. The [directory/file] field is used to mention the file or directory to check the SELinux security context.
Note that if [directory/file] is not specified, the fixfiles will check the security context of the entire filesystem.
Options of fixfiles Command
The options for the fixfiles command are listed in the following table −
Options | Description |
---|---|
-B | If used with the onboot, it records the current date in the /.autorelabel file, so it can be used later for quick labeling (if used with restore, then the restore will only affect the files modified today) |
-F | It forces resetting file context even for customizable files |
-f | It clears the /tmp directory without a prompt |
-R rpmpackage | It uses the RPM package database to identify files and restore their contexts |
-C previous_filecontext | It runs a diff on the previous_filecontext file to the currently installed one and restores the mismatched context |
-N time | It only acts on files created after the specified date |
-M | It binds mount filesystems before relabeling them. |
-v | It provides verbose output |
-T nthread | It uses parallel relabeling |
Arguments of fixfiles Command
The arguments of the fixfiles command are listed below −
Arguments | Description |
---|---|
check | verify | It displays any incorrect file context labels and shows old and new context without modifying them |
restore | It updates any incorrect file context label |
relabel | It prompts for the removal of /tmp directory contents and updates incorrect file context labels to match the installed file_context file |
[dir/file] | To specify the directory or files for checking the file security context |
Examples of fixfiles Command in Linux
This section demonstrates the usage of the fixfiles command in Linux with examples −
Relabeling the Entire Filesystem
To relabel the entire filesystem, use the fixfiles command with the relabel argument. To perform this operation sudo permissions are required −
sudo fixfiles relabel

It will first prompt to remove any content in the /tmp directory. Upon typing Y/y and pressing Enter, the command will modify any incorrect file context labels to match the SELinux policy file.
Note − Clearing /tmp helps maintain a clean and consistent state for the relabeling operation, ensuring that the SELinux contexts applied are accurate and not affected by temporary or obsolete files.
Checking File Context without Making Changes
To check the file context of the entire filesystem without relabeling, use the check argument −
sudo fixfiles check

Updating the Incorrect File Context
To update the incorrect file context of the entire filesystem, use the restore argument with the fixfiles command −
sudo fixfiles restore

Note that it does not prompt to remove the contents of the /tmp file.
Getting Verbose Output
To get a detailed output of the fixfiles command, use the -v option −
sudo fixfiles -v restore
Boosting the Relabeling Process
To speed up the relabeling process, use the -T option which allows parallel relabeling −
sudo fixfiles -T 6 restore
Relabeling Files Created After a Specific Date
To check or relabel files created after a specific date, use the -N option −
sudo fixfiles "2024-03-01" relabel
Conclusion
The fixfiles command is a part of the SELinux toolset that is used to check and change the security context of a filesystem. It can also check and modify the file context of a specific directory or file. To use fixfiles on Linux, SELinux tools must be installed and enabled.
In this tutorial, we explained the fixfiles command, its installation, syntax, options, arguments, and usage in Linux with examples.