fixfiles Command in Linux



The fixfiles command in Linux checks and corrects the security context of a file on a system. It is a part of SELinux (Security Enhanced Linux) toolset. It can relabel all the mounted filesystems such as ext2, ext3, ext4, xfs, jfs, and btrfs as long as they do not have any security context mount point.

The /etc/selinux/fixfiles_exclude_dirs file is used to specify the list of directories to exclude from relabeling.

Table of Contents

Here is a comprehensive guide to the options available with the fixfiles command −

Prerequisites to Use fixfiles Command

To use the fixfiles on Linux, SELinux must be installed. In various Linux distributions such as Ubuntu, the AppArmor is the default Linux Security Module (LSM). SELinux is also a type of LSM. Linux only allows one LSM at a time. To use SELinux as LSM, the AppArmor must first be disabled.

To disable AppArmor, use the command given below −

sudo systemctl stop apparmor.service
sudo systemctl disable apparmor.service

Verify it by checking the status −

sudo systemctl status apparmor.service
fixfiles Command in Linux1

Now, install the SELinux using the command given below −

sudo apt install policycoreutils selinux-basics selinux-utils

To activate the SELinux, use the following command −

sudo selinux-activate

Now, reboot the system −

sudo reboot

To verify, use the command given below −

getenforce
fixfiles Command in Linux2

The output will indicate either Enforcing, Permissive, or Disabled.

Now, check the status, using the command mentioned below −

sestatus
fixfiles Command in Linux3

The output shows that the SELinux has been enabled.

To verify if fixfiles is installed, use the following command −

which fixfiles
fixfiles Command in Linux4

If the output shows the path to the fixfiles binary, then the command is installed and ready to use.

Syntax of fixfiles Command

The syntax of the Linux fixfiles command is as follows −

fixfiles [options] [arguments] [directory/file]

The [options] field is used to specify the options to modify the command’s behavior. The [arguments] field is used to specify the fixfiles arguments such as verify, check, or restore. The [directory/file] field is used to mention the file or directory to check the SELinux security context.

Note that if [directory/file] is not specified, the fixfiles will check the security context of the entire filesystem.

Options of fixfiles Command

The options for the fixfiles command are listed in the following table −

Options Description
-B If used with the onboot, it records the current date in the /.autorelabel file, so it can be used later for quick labeling (if used with restore, then the restore will only affect the files modified today)
-F It forces resetting file context even for customizable files
-f It clears the /tmp directory without a prompt
-R rpmpackage It uses the RPM package database to identify files and restore their contexts
-C previous_filecontext It runs a diff on the previous_filecontext file to the currently installed one and restores the mismatched context
-N time It only acts on files created after the specified date
-M It binds mount filesystems before relabeling them.
-v It provides verbose output
-T nthread It uses parallel relabeling

Arguments of fixfiles Command

The arguments of the fixfiles command are listed below −

Arguments Description
check | verify It displays any incorrect file context labels and shows old and new context without modifying them
restore It updates any incorrect file context label
relabel It prompts for the removal of /tmp directory contents and updates incorrect file context labels to match the installed file_context file
[dir/file] To specify the directory or files for checking the file security context

Examples of fixfiles Command in Linux

This section demonstrates the usage of the fixfiles command in Linux with examples −

Relabeling the Entire Filesystem

To relabel the entire filesystem, use the fixfiles command with the relabel argument. To perform this operation sudo permissions are required −

sudo fixfiles relabel
fixfiles Command in Linux5

It will first prompt to remove any content in the /tmp directory. Upon typing Y/y and pressing Enter, the command will modify any incorrect file context labels to match the SELinux policy file.

Note − Clearing /tmp helps maintain a clean and consistent state for the relabeling operation, ensuring that the SELinux contexts applied are accurate and not affected by temporary or obsolete files.

Checking File Context without Making Changes

To check the file context of the entire filesystem without relabeling, use the check argument −

sudo fixfiles check
fixfiles Command in Linux6

Updating the Incorrect File Context

To update the incorrect file context of the entire filesystem, use the restore argument with the fixfiles command −

sudo fixfiles restore
fixfiles Command in Linux7

Note that it does not prompt to remove the contents of the /tmp file.

Getting Verbose Output

To get a detailed output of the fixfiles command, use the -v option −

sudo fixfiles -v restore

Boosting the Relabeling Process

To speed up the relabeling process, use the -T option which allows parallel relabeling −

sudo fixfiles -T 6 restore

Relabeling Files Created After a Specific Date

To check or relabel files created after a specific date, use the -N option −

sudo fixfiles "2024-03-01" relabel 

Conclusion

The fixfiles command is a part of the SELinux toolset that is used to check and change the security context of a filesystem. It can also check and modify the file context of a specific directory or file. To use fixfiles on Linux, SELinux tools must be installed and enabled.

In this tutorial, we explained the fixfiles command, its installation, syntax, options, arguments, and usage in Linux with examples.

Advertisements