selinux/policycoreutils/setfiles/setfiles.8
Dan Walsh 96cedba3e5 policycoreutils: restorecon: only update type by default
This patch allows us to use restorecon on MCS Separated File Systems or MLS
Environments,  Basically allows a user to check his type enforcement.

Signed-off-by: Dan Walsh <dwalsh@redhat.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-09-12 12:16:02 -04:00

132 lines
4.1 KiB
Groff

.TH "setfiles" "8" "2002031409" "" ""
.SH "NAME"
setfiles \- set SELinux file security contexts.
.SH "SYNOPSIS"
.B setfiles
.I [\-c policy] [\-d] [\-l] [\-n] [\-e directory] [\-o filename] [\-q] [\-s] [\-v] [\-W] [\-F] spec_file pathname...
.SH "DESCRIPTION"
This manual page describes the
.BR setfiles
program.
.P
This program is primarily used to initialize the security context
fields (extended attributes) on one or more filesystems (or parts of
them). Usually it is initially run as part of the SELinux installation
process (a step commonly known as labeling).
.P
It can also be run at any other time to correct inconsistent labels, to add
support for newly-installed policy or, by using the \-n option, to passively
check whether the file contexts are all set as specified by the active policy
(default behavior) or by some other policy (see the \-c option).
.P
If a file object does not have a context, setfiles will write the default
context to the file object's extended attributes. If a file object has a
context, setfiles will only modify the type portion of the security context.
The -F option will force a replacement of the entire context.
.SH "OPTIONS"
.TP
.B \-c
check the validity of the contexts against the specified binary policy.
.TP
.B \-d
show what specification matched each file (do not abort validation
after ABORT_ON_ERRORS errors).
.TP
.B \-e directory
directory to exclude (repeat option for more than one directory).
.TP
.B \-f
take a list of files to be processed from an input file.
.TP
.B \-F
Force reset of context to match file_context for customizable files, and the
default file context, changing the user, role, range portion as well as the
type.
.TP
.B \-h, \-?
display usage information and exit.
.TP
.B \-i
ignore files that do not exist.
.TP
.B \-l
log changes in file labels to syslog.
.TP
.B \-n
don't change any file labels (passive check).
.TP
.B \-o filename
save list of files with incorrect context in filename.
.TP
.B \-p
show progress by printing * every STAR_COUNT files.
.TP
.B \-q
suppress non-error output.
.TP
.B \-r rootpath
use an alternate root path.
.TP
.B \-s
take a list of files from standard input instead of using a pathname from the
command line (equivalent to \-f \-).
.TP
.B \-v
show changes in file labels.
.TP
.B \-W
display warnings about entries that had no matching files.
.TP
.B \-0
the separator for the input items is assumed to be the null character
(instead of the white space). The quotes and the backslash characters are
also treated as normal characters that can form valid input.
This option finally also disables the end of file string, which is treated
like any other argument. Useful when input items might contain white space,
quote marks or backslashes. The
.B -print0
option of GNU
.B find
produces input suitable for this mode.
.SH "ARGUMENTS"
.B spec_file
The specification file which contains lines of the following form
.br
.B regexp [ \-type ] ( context | <<none>> )
.br
The regular expression is anchored at both ends. The optional type field
specifies the file type as shown in the mode field by the
.B ls(1)
program, e.g. \-\- to match only regular files or \-d to match only
directories. The context can be an ordinary security context or the
string <<none>> to specify that the file is not to have its context
changed.
.br
The last matching specification is used. If there are multiple hard
links to a file that match different specifications and those
specifications indicate different security contexts, then a warning is
displayed but the file is still labeled based on the last matching
specification other than <<none>>.
.TP
.B pathname...
The pathname for the root directory of each file system to be relabeled
or a specific directory within a filesystem that should be recursively
descended and relabeled or the pathname of a file that should be
relabeled.
Not used if the
.B \-f
or the
.B \-s
option is used.
.SH "AUTHOR"
This man page was written by Russell Coker <russell@coker.com.au>.
The program was written by Stephen Smalley <sds@epoch.ncsc.mil>
.SH "SEE ALSO"
.BR restorecon (8),
.BR load_policy (8),
.BR checkpolicy (8)