mirror of
https://github.com/SELinuxProject/selinux
synced 2025-01-26 15:23:02 +00:00
5f844b6991
One thing that confused me when investigating https://github.com/SELinuxProject/selinux/issues/248 (i.e. https://github.com/coreos/fedora-coreos-tracker/issues/512) was that the manual page for `setfiles` seemed to imply that paths were fully resolved. This was consistent with the issues above where `setfiles` was failing because the target of the symbolic link didn't exist. But in fact, the wording around symbolic links in `setfiles`/`restorecon` refers actually to whether the parent directories are canonicalized via `realpath(3)` before labeling. Clarify the man pages to explain this. Signed-off-by: Jonathan Lebon <jlebon@redhat.com> Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
270 lines
6.6 KiB
Groff
270 lines
6.6 KiB
Groff
.TH "setfiles" "8" "10 June 2016" "" "SELinux User Command"
|
|
.SH "NAME"
|
|
setfiles \- set SELinux file security contexts.
|
|
|
|
.SH "SYNOPSIS"
|
|
.B setfiles
|
|
.RB [ \-c
|
|
.IR policy ]
|
|
.RB [ \-d ]
|
|
.RB [ \-l ]
|
|
.RB [ \-m ]
|
|
.RB [ \-n ]
|
|
.RB [ \-e
|
|
.IR directory ]
|
|
.RB [ \-E ]
|
|
.RB [ \-p ]
|
|
.RB [ \-s ]
|
|
.RB [ \-v ]
|
|
.RB [ \-W ]
|
|
.RB [ \-F ]
|
|
.RB [ \-I | \-D ]
|
|
.I spec_file
|
|
.IR pathname \ ...
|
|
|
|
.SH "DESCRIPTION"
|
|
This manual page describes the
|
|
.BR setfiles
|
|
program.
|
|
.P
|
|
This program is primarily used to initialize the security context
|
|
fields (extended attributes) on one or more filesystems (or parts of
|
|
them). Usually it is initially run as part of the SELinux installation
|
|
process (a step commonly known as labeling).
|
|
.P
|
|
It can also be run at any other time to correct inconsistent labels, to add
|
|
support for newly-installed policy or, by using the
|
|
.B \-n
|
|
option, to passively
|
|
check whether the file contexts are all set as specified by the active policy
|
|
(default behavior) or by some other policy (see the
|
|
.B \-c
|
|
option).
|
|
.P
|
|
If a file object does not have a context,
|
|
.B setfiles
|
|
will write the default
|
|
context to the file object's extended attributes. If a file object has a
|
|
context,
|
|
.B setfiles
|
|
will only modify the type portion of the security context.
|
|
The
|
|
.B \-F
|
|
option will force a replacement of the entire context.
|
|
.SH "OPTIONS"
|
|
.TP
|
|
.B \-c
|
|
check the validity of the contexts against the specified binary policy.
|
|
.TP
|
|
.B \-d
|
|
show what specification matched each file (do not abort validation
|
|
after ABORT_ON_ERRORS errors).
|
|
.TP
|
|
.BI \-e \ directory
|
|
directory to exclude (repeat option for more than one directory).
|
|
.TP
|
|
.BI \-E
|
|
treat conflicting specifications as errors, such as where two hardlinks for
|
|
the same inode have different contexts.
|
|
.TP
|
|
.BI \-f \ infilename
|
|
.I infilename
|
|
contains a list of files to be processed. Use
|
|
.RB \*(lq \- \*(rq
|
|
for
|
|
.BR stdin .
|
|
.TP
|
|
.B \-F
|
|
Force reset of context to match file_context for customizable files, and the
|
|
default file context, changing the user, role, range portion as well as the
|
|
type.
|
|
.TP
|
|
.B \-h, \-?
|
|
display usage information and exit.
|
|
.TP
|
|
.B \-i
|
|
ignore files that do not exist.
|
|
.TP
|
|
.B \-I
|
|
ignore digest to force checking of labels even if the stored SHA1 digest
|
|
matches the specfiles SHA1 digest. The digest will then be updated provided
|
|
there are no errors. See the
|
|
.B NOTES
|
|
section for further details.
|
|
.TP
|
|
.B \-D
|
|
Set or update any directory SHA1 digests. Use this option to
|
|
enable usage of the
|
|
.IR security.sehash
|
|
extended attribute.
|
|
.TP
|
|
.B \-l
|
|
log changes in file labels to syslog.
|
|
.TP
|
|
.B \-m
|
|
do not read
|
|
.B /proc/mounts
|
|
to obtain a list of non-seclabel mounts to be excluded from relabeling checks.
|
|
Setting this option is useful where there is a non-seclabel fs mounted with a
|
|
seclabel fs mounted on a directory below this.
|
|
.TP
|
|
.B \-n
|
|
don't change any file labels (passive check).
|
|
.TP
|
|
.BI \-o \ outfilename
|
|
Deprecated - This option is no longer supported.
|
|
.TP
|
|
.B \-p
|
|
show progress by printing the number of files in 1k blocks unless relabeling the entire
|
|
OS, that will then show the approximate percentage complete. Note that the
|
|
.B \-p
|
|
and
|
|
.B \-v
|
|
options are mutually exclusive.
|
|
.TP
|
|
.B \-q
|
|
Deprecated, was only used to stop printing inode association parameters.
|
|
.TP
|
|
.BI \-r \ rootpath
|
|
use an alternate root path. Used in meta-selinux for OpenEmbedded/Yocto builds
|
|
to label files under
|
|
.I rootpath
|
|
as if they were at
|
|
.B /
|
|
.TP
|
|
.B \-s
|
|
take a list of files from standard input instead of using a pathname from the
|
|
command line (equivalent to
|
|
.RB \*(lq "\-f \-" \*(rq
|
|
).
|
|
.TP
|
|
.B \-v
|
|
show changes in file labels and output any inode association parameters.
|
|
Note that the
|
|
.B \-v
|
|
and
|
|
.B \-p
|
|
options are mutually exclusive.
|
|
.TP
|
|
.B \-W
|
|
display warnings about entries that had no matching files by outputting the
|
|
.BR selabel_stats (3)
|
|
results.
|
|
.TP
|
|
.B \-0
|
|
the separator for the input items is assumed to be the null character
|
|
(instead of the white space). The quotes and the backslash characters are
|
|
also treated as normal characters that can form valid input.
|
|
This option finally also disables the end of file string, which is treated
|
|
like any other argument. Useful when input items might contain white space,
|
|
quote marks or backslashes. The
|
|
.B -print0
|
|
option of GNU
|
|
.B find
|
|
produces input suitable for this mode.
|
|
|
|
.SH "ARGUMENTS"
|
|
.TP
|
|
.I spec_file
|
|
The specification file which contains lines of the following form:
|
|
.sp
|
|
.RS
|
|
.I regexp
|
|
.RI [ type ]
|
|
.IR context \ |
|
|
.B <<none>>
|
|
.RS
|
|
The regular expression is anchored at both ends. The optional
|
|
.I type
|
|
field specifies the file type as shown in the mode field by the
|
|
.BR ls (1)
|
|
program, e.g.
|
|
.B \-\-
|
|
to match only regular files or
|
|
.B \-d
|
|
to match only
|
|
directories. The
|
|
.I context
|
|
can be an ordinary security context or the
|
|
string
|
|
.B <<none>>
|
|
to specify that the file is not to have its context
|
|
changed.
|
|
.br
|
|
The last matching specification is used. If there are multiple hard
|
|
links to a file that match different specifications and those
|
|
specifications indicate different security contexts, then a warning is
|
|
displayed but the file is still labeled based on the last matching
|
|
specification other than
|
|
.BR <<none>> \|.
|
|
.RE
|
|
.RE
|
|
.TP
|
|
.IR pathname \ ...
|
|
The pathname for the root directory of each file system to be relabeled
|
|
or a specific directory within a filesystem that should be recursively
|
|
descended and relabeled or the pathname of a file that should be
|
|
relabeled.
|
|
Not used if the
|
|
.B \-f
|
|
or the
|
|
.B \-s
|
|
option is used.
|
|
|
|
.SH "NOTES"
|
|
.IP "1." 4
|
|
.B setfiles
|
|
operates recursively on directories. Paths leading up the final
|
|
component of the file(s) are not canonicalized before labeling.
|
|
.IP "2." 4
|
|
If the
|
|
.I pathname
|
|
specifies the root directory and the
|
|
.B \-v
|
|
option is set and the audit system is running, then an audit event is
|
|
automatically logged stating that a "mass relabel" took place using the
|
|
message label
|
|
.BR FS_RELABEL .
|
|
.IP "3." 4
|
|
To improve performance when relabeling file systems recursively
|
|
the
|
|
.B \-D
|
|
option to
|
|
.B setfiles
|
|
will cause it to store a SHA1 digest of the
|
|
.B spec_file
|
|
set in an extended attribute named
|
|
.IR security.sehash
|
|
on each directory specified in
|
|
.IR pathname \ ...
|
|
once the relabeling has been completed successfully. These digests will be
|
|
checked should
|
|
.B setfiles
|
|
.B \-D
|
|
be rerun
|
|
with the same
|
|
.I spec_file
|
|
and
|
|
.I pathname
|
|
parameters. See
|
|
.BR selinux_restorecon (3)
|
|
for further details.
|
|
.sp
|
|
The
|
|
.B \-I
|
|
option will ignore the SHA1 digest from each directory specified in
|
|
.IR pathname \ ...
|
|
and provided the
|
|
.B \-n
|
|
option is NOT set, files will be relabeled as required with the digests then
|
|
being updated provided there are no errors.
|
|
|
|
.SH "AUTHOR"
|
|
This man page was written by Russell Coker <russell@coker.com.au>.
|
|
The program was written by Stephen Smalley <sds@tycho.nsa.gov>
|
|
|
|
.SH "SEE ALSO"
|
|
.BR restorecon (8),
|
|
.BR load_policy (8),
|
|
.BR checkpolicy (8)
|