selinux/policycoreutils/setfiles/restorecon.8
Ondrej Mosnacek 93902fc834 setfiles/restorecon: support parallel relabeling
Use the newly introduced selinux_restorecon_parallel(3) in
setfiles/restorecon and a -T option to both to allow enabling parallel
relabeling. The default behavior without specifying the -T option is to
use 1 thread; parallel relabeling must be requested explicitly by
passing -T 0 (which will use as many threads as there are available CPU
cores) or -T <N>, which will use <N> threads.

=== Benchmarks ===
As measured on a 32-core cloud VM with Fedora 34. Not a fully
representative environment, but still the scaling is quite good.

WITHOUT PATCHES:
$ time restorecon -rn /usr

real    0m21.689s
user    0m21.070s
sys     0m0.494s

WITH PATCHES:
$ time restorecon -rn /usr

real    0m23.940s
user    0m23.127s
sys     0m0.653s
$ time restorecon -rn -T 2 /usr

real    0m13.145s
user    0m25.306s
sys     0m0.695s
$ time restorecon -rn -T 4 /usr

real    0m7.559s
user    0m28.470s
sys     0m1.099s
$ time restorecon -rn -T 8 /usr

real    0m5.186s
user    0m37.450s
sys     0m2.094s
$ time restorecon -rn -T 16 /usr

real    0m3.831s
user    0m51.220s
sys     0m4.895s
$ time restorecon -rn -T 32 /usr

real    0m2.650s
user    1m5.136s
sys     0m6.614s

Note that the benchmarks were performed in read-only mode (-n), so the
labels were only read and looked up in the database, not written. When
fixing labels on a heavily mislabeled system, the scaling would likely
be event better, since a larger % of work could be done in parallel.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2021-11-23 10:03:18 +01:00

239 lines
5.9 KiB
Groff

.TH "restorecon" "8" "10 June 2016" "" "SELinux User Command"
.SH "NAME"
restorecon \- restore file(s) default SELinux security contexts.
.SH "SYNOPSIS"
.B restorecon
.RB [ \-r | \-R ]
.RB [ \-m ]
.RB [ \-n ]
.RB [ \-p ]
.RB [ \-v ]
.RB [ \-i ]
.RB [ \-F ]
.RB [ \-W ]
.RB [ \-I | \-D ]
.RB [ \-x ]
.RB [ \-e
.IR directory ]
.IR pathname \ ...
.P
.B restorecon
.RB [ \-f
.IR infilename ]
.RB [ \-e
.IR directory ]
.RB [ \-r | \-R ]
.RB [ \-m ]
.RB [ \-n ]
.RB [ \-p ]
.RB [ \-v ]
.RB [ \-i ]
.RB [ \-F ]
.RB [ \-W ]
.RB [ \-I | \-D ]
.RB [ \-x ]
.RB [ \-T
.IR nthreads ]
.SH "DESCRIPTION"
This manual page describes the
.BR restorecon
program.
.P
This program is primarily used to set the security context
(extended attributes) on one or more files.
.P
It can also be run at any other time to correct inconsistent labels, to add
support for newly-installed policy or, by using the
.B \-n
option, to passively
check whether the file contexts are all set as specified by the active policy
(default behavior).
.P
If a file object does not have a context,
.B restorecon
will write the default
context to the file object's extended attributes. If a file object has a
context,
.B restorecon
will only modify the type portion of the security context.
The
.B \-F
option will force a replacement of the entire context.
.P
If a file is labeled with
.BR customizable
SELinux type (for list of customizable
types see /etc/selinux/{SELINUXTYPE}/contexts/customizable_types), restorecon
won't reset the label unless the \-F option is used.
.P
It is the same executable as
.BR setfiles
but operates in a slightly different manner depending on its argv[0].
.SH "OPTIONS"
.TP
.BI \-e \ directory
exclude a directory (repeat the option to exclude more than one directory, Requires full path).
.TP
.BI \-f \ infilename
.I infilename
contains a list of files to be processed. Use
.RB \*(lq \- \*(rq
for
.BR stdin .
.TP
.B \-F
Force reset of context to match file_context for customizable files, and the
default file context, changing the user, role, range portion as well as the type.
.TP
.B \-h, \-?
display usage information and exit.
.TP
.B \-i
ignore files that do not exist.
.TP
.B \-I
ignore digest to force checking of labels even if the stored SHA1 digest
matches the specfiles SHA1 digest. The digest will then be updated provided
there are no errors. See the
.B NOTES
section for further details.
.TP
.B \-D
Set or update any directory SHA1 digests. Use this option to
enable usage of the
.IR security.sehash
extended attribute.
.TP
.B \-m
do not read
.B /proc/mounts
to obtain a list of non-seclabel mounts to be excluded from relabeling checks.
Setting this option is useful where there is a non-seclabel fs mounted with a
seclabel fs mounted on a directory below this.
.TP
.B \-n
don't change any file labels (passive check). To display the files whose labels would be changed, add
.BR \-v .
.TP
.BI \-o \ outfilename
Deprecated - This option is no longer supported.
.TP
.B \-p
show progress by printing the number of files in 1k blocks unless relabeling the entire
OS, that will then show the approximate percentage complete. Note that the
.B \-p
and
.B \-v
options are mutually exclusive.
.TP
.B \-R, \-r
change files and directories file labels recursively (descend directories).
.br
.TP
.B \-v
show changes in file labels. Multiple -v options increase the verbosity. Note that the
.B \-v
and
.B \-p
options are mutually exclusive.
.TP
.B \-W
display warnings about entries that had no matching files by outputting the
.BR selabel_stats (3)
results.
.TP
.B \-0
the separator for the input items is assumed to be the null character
(instead of the white space). The quotes and the backslash characters are
also treated as normal characters that can form valid input.
This option finally also disables the end of file string, which is treated
like any other argument. Useful when input items might contain white space,
quote marks or backslashes. The
.B \-print0
option of GNU
.B find
produces input suitable for this mode.
.TP
.B \-x
prevent
.B restorecon
from crossing file system boundaries.
.TP
.BI \-T \ nthreads
use up to
.I nthreads
threads. Specify 0 to create as many threads as there are available
CPU cores; 1 to use only a single thread (default); or any positive
number to use the given number of threads (if possible).
.TP
.SH "ARGUMENTS"
.IR pathname \ ...
The pathname for the file(s) to be relabeled.
.SH "NOTES"
.IP "1." 4
.B restorecon
by default does not operate recursively on directories. Paths leading up the
final component of the file(s) are canonicalized using
.BR realpath (3)
before labeling.
.IP "2." 4
If the
.I pathname
specifies the root directory and the
.B \-vR
or
.B \-vr
options are set and the audit system is running, then an audit event is
automatically logged stating that a "mass relabel" took place using the
message label
.BR FS_RELABEL .
.IP "3." 4
To improve performance when relabeling file systems recursively (i.e. the
.B \-R
or
.B \-r
option is set),
the
.B \-D
option to
.B restorecon
will cause it to store a SHA1 digest of the default specfiles set in an extended
attribute named
.IR security.sehash
on each directory specified in
.IR pathname \ ...
once the relabeling has been completed successfully. These digests will be
checked should
.B restorecon
.B \-D
be rerun with the same
.I pathname
parameters. See
.BR selinux_restorecon (3)
for further details.
.sp
The
.B \-I
option will ignore the SHA1 digest from each directory specified in
.IR pathname \ ...
and provided the
.B \-n
option is NOT set and recursive mode is set, files will be relabeled as
required with the digests then being updated provided there are no errors.
.SH "AUTHOR"
This man page was written by Dan Walsh <dwalsh@redhat.com>.
Some of the content of this man page was taken from the setfiles
man page written by Russell Coker <russell@coker.com.au>.
The program was written by Dan Walsh <dwalsh@redhat.com>.
.SH "SEE ALSO"
.BR setfiles (8),
.BR fixfiles (8),
.BR load_policy (8),
.BR checkpolicy (8),
.BR customizable_types (5)