selinux/policycoreutils/setfiles/restorecon_xattr.8

.TH "restorecon_xattr" "8" "24 Sept 2016" "" "SELinux User Command"
.SH "NAME"
restorecon_xattr \- manage
.I security.restorecon_last
extended attribute entries added by
.BR setfiles (8)
or
.BR restorecon (8).

.SH "SYNOPSIS"
.B restorecon_xattr
.RB [ \-d ]
.RB [ \-D ]
.RB [ \-m ]
.RB [ \-n ]
.RB [ \-r ]
.RB [ \-v ]
.RB [ \-e
.IR directory ]
.RB [ \-f
.IR specfile ]
.I pathname

.SH "DESCRIPTION"
.B restorecon_xattr
will display the SHA1 digests added to extended attributes
.I security.restorecon_last
or delete the attribute completely. These attributes are set by
.BR restorecon (8)
or
.BR setfiles (8)
to specified directories when relabeling recursively.
.sp
.B restorecon_xattr
is useful for managing the extended attribute entries particularly when
users forget what directories they ran
.BR restorecon (8)
or
.BR setfiles (8)
from.
.sp
.B RAMFS
and
.B TMPFS
filesystems do not support the
.I security.restorecon_last
extended attribute and are automatically excluded from searches.
.sp
By default
.B restorecon_xattr
will display the SHA1 digests with "Match" appended if they match the default
specfile set or the
.I specfile
set used with the
.B \-f
option. Non-matching SHA1 digests will be displayed with "No Match" appended.
This feature can be disabled by the
.B \-n
option.

.SH "OPTIONS"
.TP
.B \-d
delete all non-matching
.I security.restorecon_last
directory digest entries.
.TP
.B \-D
delete all
.I security.restorecon_last
directory digest entries.
.TP
.B \-m
do not read
.B /proc/mounts
to obtain a list of non-seclabel mounts to be excluded from relabeling checks.
.br
Setting
.B \-m
is useful where there is a non-seclabel fs mounted with a seclabel fs mounted
on a directory below this.
.TP
.B \-n
Do not append "Match" or "No Match" to displayed digests.
.TP
.B \-r
recursively descend directories.
.TP
.B \-v
display SHA1 digest generated by specfile set.
.TP
.B \-e
.I directory
.br
directory to exclude (repeat option for more than one directory).
.TP
.B \-f
.I specfile
.br
an optional
.I specfile
containing file context entries as described in
.BR file_contexts (5).
This will be used by
.BR selabel_open (3)
to retrieve the set of labeling entries, with the SHA1 digest being
retrieved by
.BR selabel_digest (3).
If the option is not specified, then the default file_contexts will be used.

.SH "ARGUMENTS"
.TP
.I pathname
.br
the pathname of the directory tree to be searched.

.SH "SEE ALSO"
.BR restorecon (8),
.BR setfiles (8)
policycoreutils: setfiles - Utility to find security.restorecon_last entries This patch adds restorecon_xattr(8) to find and/or remove security.restorecon_last entries added by setfiles(8) or restorecon(8). Uses the services of selinux_restorecon_xattr(3). Signed-off-by: Richard Haines <richard_c_haines@btinternet.com> 2016-09-26 15:30:30 +00:00			`.TH "restorecon_xattr" "8" "24 Sept 2016" "" "SELinux User Command"`
			`.SH "NAME"`
			`restorecon_xattr \- manage`
			`.I security.restorecon_last`
			`extended attribute entries added by`
			`.BR setfiles (8)`
			`or`
			`.BR restorecon (8).`

			`.SH "SYNOPSIS"`
			`.B restorecon_xattr`
			`.RB [ \-d ]`
			`.RB [ \-D ]`
			`.RB [ \-m ]`
			`.RB [ \-n ]`
			`.RB [ \-r ]`
			`.RB [ \-v ]`
			`.RB [ \-e`
			`.IR directory ]`
			`.RB [ \-f`
			`.IR specfile ]`
			`.I pathname`

			`.SH "DESCRIPTION"`
			`.B restorecon_xattr`
			`will display the SHA1 digests added to extended attributes`
			`.I security.restorecon_last`
			`or delete the attribute completely. These attributes are set by`
			`.BR restorecon (8)`
			`or`
			`.BR setfiles (8)`
			`to specified directories when relabeling recursively.`
			`.sp`
			`.B restorecon_xattr`
			`is useful for managing the extended attribute entries particularly when`
			`users forget what directories they ran`
			`.BR restorecon (8)`
			`or`
			`.BR setfiles (8)`
			`from.`
			`.sp`
			`.B RAMFS`
			`and`
			`.B TMPFS`
			`filesystems do not support the`
			`.I security.restorecon_last`
			`extended attribute and are automatically excluded from searches.`
			`.sp`
			`By default`
			`.B restorecon_xattr`
			`will display the SHA1 digests with "Match" appended if they match the default`
			`specfile set or the`
			`.I specfile`
			`set used with the`
			`.B \-f`
			`option. Non-matching SHA1 digests will be displayed with "No Match" appended.`
			`This feature can be disabled by the`
			`.B \-n`
			`option.`

			`.SH "OPTIONS"`
			`.TP`
			`.B \-d`
			`delete all non-matching`
			`.I security.restorecon_last`
			`directory digest entries.`
			`.TP`
			`.B \-D`
			`delete all`
			`.I security.restorecon_last`
			`directory digest entries.`
			`.TP`
			`.B \-m`
			`do not read`
			`.B /proc/mounts`
			`to obtain a list of non-seclabel mounts to be excluded from relabeling checks.`
			`.br`
			`Setting`
			`.B \-m`
			`is useful where there is a non-seclabel fs mounted with a seclabel fs mounted`
			`on a directory below this.`
			`.TP`
			`.B \-n`
			`Do not append "Match" or "No Match" to displayed digests.`
			`.TP`
			`.B \-r`
			`recursively descend directories.`
			`.TP`
			`.B \-v`
			`display SHA1 digest generated by specfile set.`
			`.TP`
			`.B \-e`
			`.I directory`
			`.br`
			`directory to exclude (repeat option for more than one directory).`
			`.TP`
			`.B \-f`
			`.I specfile`
			`.br`
			`an optional`
			`.I specfile`
			`containing file context entries as described in`
			`.BR file_contexts (5).`
			`This will be used by`
			`.BR selabel_open (3)`
			`to retrieve the set of labeling entries, with the SHA1 digest being`
			`retrieved by`
			`.BR selabel_digest (3).`
			`If the option is not specified, then the default file_contexts will be used.`

			`.SH "ARGUMENTS"`
			`.TP`
			`.I pathname`
			`.br`
			`the pathname of the directory tree to be searched.`

			`.SH "SEE ALSO"`
			`.BR restorecon (8),`
			`.BR setfiles (8)`