mirror of
https://github.com/SELinuxProject/selinux
synced 2024-12-14 01:54:42 +00:00
96cedba3e5
This patch allows us to use restorecon on MCS Separated File Systems or MLS Environments, Basically allows a user to check his type enforcement. Signed-off-by: Dan Walsh <dwalsh@redhat.com> Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
132 lines
4.1 KiB
Groff
132 lines
4.1 KiB
Groff
.TH "setfiles" "8" "2002031409" "" ""
|
|
.SH "NAME"
|
|
setfiles \- set SELinux file security contexts.
|
|
|
|
.SH "SYNOPSIS"
|
|
.B setfiles
|
|
.I [\-c policy] [\-d] [\-l] [\-n] [\-e directory] [\-o filename] [\-q] [\-s] [\-v] [\-W] [\-F] spec_file pathname...
|
|
.SH "DESCRIPTION"
|
|
This manual page describes the
|
|
.BR setfiles
|
|
program.
|
|
.P
|
|
This program is primarily used to initialize the security context
|
|
fields (extended attributes) on one or more filesystems (or parts of
|
|
them). Usually it is initially run as part of the SELinux installation
|
|
process (a step commonly known as labeling).
|
|
.P
|
|
It can also be run at any other time to correct inconsistent labels, to add
|
|
support for newly-installed policy or, by using the \-n option, to passively
|
|
check whether the file contexts are all set as specified by the active policy
|
|
(default behavior) or by some other policy (see the \-c option).
|
|
.P
|
|
If a file object does not have a context, setfiles will write the default
|
|
context to the file object's extended attributes. If a file object has a
|
|
context, setfiles will only modify the type portion of the security context.
|
|
The -F option will force a replacement of the entire context.
|
|
.SH "OPTIONS"
|
|
.TP
|
|
.B \-c
|
|
check the validity of the contexts against the specified binary policy.
|
|
.TP
|
|
.B \-d
|
|
show what specification matched each file (do not abort validation
|
|
after ABORT_ON_ERRORS errors).
|
|
.TP
|
|
.B \-e directory
|
|
directory to exclude (repeat option for more than one directory).
|
|
.TP
|
|
.B \-f
|
|
take a list of files to be processed from an input file.
|
|
.TP
|
|
.B \-F
|
|
Force reset of context to match file_context for customizable files, and the
|
|
default file context, changing the user, role, range portion as well as the
|
|
type.
|
|
.TP
|
|
.B \-h, \-?
|
|
display usage information and exit.
|
|
.TP
|
|
.B \-i
|
|
ignore files that do not exist.
|
|
.TP
|
|
.B \-l
|
|
log changes in file labels to syslog.
|
|
.TP
|
|
.B \-n
|
|
don't change any file labels (passive check).
|
|
.TP
|
|
.B \-o filename
|
|
save list of files with incorrect context in filename.
|
|
.TP
|
|
.B \-p
|
|
show progress by printing * every STAR_COUNT files.
|
|
.TP
|
|
.B \-q
|
|
suppress non-error output.
|
|
.TP
|
|
.B \-r rootpath
|
|
use an alternate root path.
|
|
.TP
|
|
.B \-s
|
|
take a list of files from standard input instead of using a pathname from the
|
|
command line (equivalent to \-f \-).
|
|
.TP
|
|
.B \-v
|
|
show changes in file labels.
|
|
.TP
|
|
.B \-W
|
|
display warnings about entries that had no matching files.
|
|
.TP
|
|
.B \-0
|
|
the separator for the input items is assumed to be the null character
|
|
(instead of the white space). The quotes and the backslash characters are
|
|
also treated as normal characters that can form valid input.
|
|
This option finally also disables the end of file string, which is treated
|
|
like any other argument. Useful when input items might contain white space,
|
|
quote marks or backslashes. The
|
|
.B -print0
|
|
option of GNU
|
|
.B find
|
|
produces input suitable for this mode.
|
|
|
|
.SH "ARGUMENTS"
|
|
.B spec_file
|
|
The specification file which contains lines of the following form
|
|
.br
|
|
.B regexp [ \-type ] ( context | <<none>> )
|
|
.br
|
|
The regular expression is anchored at both ends. The optional type field
|
|
specifies the file type as shown in the mode field by the
|
|
.B ls(1)
|
|
program, e.g. \-\- to match only regular files or \-d to match only
|
|
directories. The context can be an ordinary security context or the
|
|
string <<none>> to specify that the file is not to have its context
|
|
changed.
|
|
.br
|
|
The last matching specification is used. If there are multiple hard
|
|
links to a file that match different specifications and those
|
|
specifications indicate different security contexts, then a warning is
|
|
displayed but the file is still labeled based on the last matching
|
|
specification other than <<none>>.
|
|
.TP
|
|
.B pathname...
|
|
The pathname for the root directory of each file system to be relabeled
|
|
or a specific directory within a filesystem that should be recursively
|
|
descended and relabeled or the pathname of a file that should be
|
|
relabeled.
|
|
Not used if the
|
|
.B \-f
|
|
or the
|
|
.B \-s
|
|
option is used.
|
|
|
|
.SH "AUTHOR"
|
|
This man page was written by Russell Coker <russell@coker.com.au>.
|
|
The program was written by Stephen Smalley <sds@epoch.ncsc.mil>
|
|
|
|
.SH "SEE ALSO"
|
|
.BR restorecon (8),
|
|
.BR load_policy (8),
|
|
.BR checkpolicy (8)
|