selinux/policycoreutils/setfiles/restorecon_xattr.8
Richard Haines f1352e7399 policycoreutils: setfiles - Utility to find security.restorecon_last entries
This patch adds restorecon_xattr(8) to find and/or remove
security.restorecon_last entries added by setfiles(8) or
restorecon(8). Uses the services of selinux_restorecon_xattr(3).

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2016-09-26 14:05:58 -04:00

120 lines
2.4 KiB
Groff

.TH "restorecon_xattr" "8" "24 Sept 2016" "" "SELinux User Command"
.SH "NAME"
restorecon_xattr \- manage
.I security.restorecon_last
extended attribute entries added by
.BR setfiles (8)
or
.BR restorecon (8).
.SH "SYNOPSIS"
.B restorecon_xattr
.RB [ \-d ]
.RB [ \-D ]
.RB [ \-m ]
.RB [ \-n ]
.RB [ \-r ]
.RB [ \-v ]
.RB [ \-e
.IR directory ]
.RB [ \-f
.IR specfile ]
.I pathname
.SH "DESCRIPTION"
.B restorecon_xattr
will display the SHA1 digests added to extended attributes
.I security.restorecon_last
or delete the attribute completely. These attributes are set by
.BR restorecon (8)
or
.BR setfiles (8)
to specified directories when relabeling recursively.
.sp
.B restorecon_xattr
is useful for managing the extended attribute entries particularly when
users forget what directories they ran
.BR restorecon (8)
or
.BR setfiles (8)
from.
.sp
.B RAMFS
and
.B TMPFS
filesystems do not support the
.I security.restorecon_last
extended attribute and are automatically excluded from searches.
.sp
By default
.B restorecon_xattr
will display the SHA1 digests with "Match" appended if they match the default
specfile set or the
.I specfile
set used with the
.B \-f
option. Non-matching SHA1 digests will be displayed with "No Match" appended.
This feature can be disabled by the
.B \-n
option.
.SH "OPTIONS"
.TP
.B \-d
delete all non-matching
.I security.restorecon_last
directory digest entries.
.TP
.B \-D
delete all
.I security.restorecon_last
directory digest entries.
.TP
.B \-m
do not read
.B /proc/mounts
to obtain a list of non-seclabel mounts to be excluded from relabeling checks.
.br
Setting
.B \-m
is useful where there is a non-seclabel fs mounted with a seclabel fs mounted
on a directory below this.
.TP
.B \-n
Do not append "Match" or "No Match" to displayed digests.
.TP
.B \-r
recursively descend directories.
.TP
.B \-v
display SHA1 digest generated by specfile set.
.TP
.B \-e
.I directory
.br
directory to exclude (repeat option for more than one directory).
.TP
.B \-f
.I specfile
.br
an optional
.I specfile
containing file context entries as described in
.BR file_contexts (5).
This will be used by
.BR selabel_open (3)
to retrieve the set of labeling entries, with the SHA1 digest being
retrieved by
.BR selabel_digest (3).
If the option is not specified, then the default file_contexts will be used.
.SH "ARGUMENTS"
.TP
.I pathname
.br
the pathname of the directory tree to be searched.
.SH "SEE ALSO"
.BR restorecon (8),
.BR setfiles (8)