mirror of
https://github.com/SELinuxProject/selinux
synced 2024-12-24 23:12:05 +00:00
93902fc834
Use the newly introduced selinux_restorecon_parallel(3) in setfiles/restorecon and a -T option to both to allow enabling parallel relabeling. The default behavior without specifying the -T option is to use 1 thread; parallel relabeling must be requested explicitly by passing -T 0 (which will use as many threads as there are available CPU cores) or -T <N>, which will use <N> threads. === Benchmarks === As measured on a 32-core cloud VM with Fedora 34. Not a fully representative environment, but still the scaling is quite good. WITHOUT PATCHES: $ time restorecon -rn /usr real 0m21.689s user 0m21.070s sys 0m0.494s WITH PATCHES: $ time restorecon -rn /usr real 0m23.940s user 0m23.127s sys 0m0.653s $ time restorecon -rn -T 2 /usr real 0m13.145s user 0m25.306s sys 0m0.695s $ time restorecon -rn -T 4 /usr real 0m7.559s user 0m28.470s sys 0m1.099s $ time restorecon -rn -T 8 /usr real 0m5.186s user 0m37.450s sys 0m2.094s $ time restorecon -rn -T 16 /usr real 0m3.831s user 0m51.220s sys 0m4.895s $ time restorecon -rn -T 32 /usr real 0m2.650s user 1m5.136s sys 0m6.614s Note that the benchmarks were performed in read-only mode (-n), so the labels were only read and looked up in the database, not written. When fixing labels on a heavily mislabeled system, the scaling would likely be event better, since a larger % of work could be done in parallel. Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
239 lines
5.9 KiB
Groff
239 lines
5.9 KiB
Groff
.TH "restorecon" "8" "10 June 2016" "" "SELinux User Command"
|
|
.SH "NAME"
|
|
restorecon \- restore file(s) default SELinux security contexts.
|
|
|
|
.SH "SYNOPSIS"
|
|
.B restorecon
|
|
.RB [ \-r | \-R ]
|
|
.RB [ \-m ]
|
|
.RB [ \-n ]
|
|
.RB [ \-p ]
|
|
.RB [ \-v ]
|
|
.RB [ \-i ]
|
|
.RB [ \-F ]
|
|
.RB [ \-W ]
|
|
.RB [ \-I | \-D ]
|
|
.RB [ \-x ]
|
|
.RB [ \-e
|
|
.IR directory ]
|
|
.IR pathname \ ...
|
|
.P
|
|
.B restorecon
|
|
.RB [ \-f
|
|
.IR infilename ]
|
|
.RB [ \-e
|
|
.IR directory ]
|
|
.RB [ \-r | \-R ]
|
|
.RB [ \-m ]
|
|
.RB [ \-n ]
|
|
.RB [ \-p ]
|
|
.RB [ \-v ]
|
|
.RB [ \-i ]
|
|
.RB [ \-F ]
|
|
.RB [ \-W ]
|
|
.RB [ \-I | \-D ]
|
|
.RB [ \-x ]
|
|
.RB [ \-T
|
|
.IR nthreads ]
|
|
|
|
.SH "DESCRIPTION"
|
|
This manual page describes the
|
|
.BR restorecon
|
|
program.
|
|
.P
|
|
This program is primarily used to set the security context
|
|
(extended attributes) on one or more files.
|
|
.P
|
|
It can also be run at any other time to correct inconsistent labels, to add
|
|
support for newly-installed policy or, by using the
|
|
.B \-n
|
|
option, to passively
|
|
check whether the file contexts are all set as specified by the active policy
|
|
(default behavior).
|
|
.P
|
|
If a file object does not have a context,
|
|
.B restorecon
|
|
will write the default
|
|
context to the file object's extended attributes. If a file object has a
|
|
context,
|
|
.B restorecon
|
|
will only modify the type portion of the security context.
|
|
The
|
|
.B \-F
|
|
option will force a replacement of the entire context.
|
|
.P
|
|
If a file is labeled with
|
|
.BR customizable
|
|
SELinux type (for list of customizable
|
|
types see /etc/selinux/{SELINUXTYPE}/contexts/customizable_types), restorecon
|
|
won't reset the label unless the \-F option is used.
|
|
.P
|
|
It is the same executable as
|
|
.BR setfiles
|
|
but operates in a slightly different manner depending on its argv[0].
|
|
|
|
.SH "OPTIONS"
|
|
.TP
|
|
.BI \-e \ directory
|
|
exclude a directory (repeat the option to exclude more than one directory, Requires full path).
|
|
.TP
|
|
.BI \-f \ infilename
|
|
.I infilename
|
|
contains a list of files to be processed. Use
|
|
.RB \*(lq \- \*(rq
|
|
for
|
|
.BR stdin .
|
|
.TP
|
|
.B \-F
|
|
Force reset of context to match file_context for customizable files, and the
|
|
default file context, changing the user, role, range portion as well as the type.
|
|
.TP
|
|
.B \-h, \-?
|
|
display usage information and exit.
|
|
.TP
|
|
.B \-i
|
|
ignore files that do not exist.
|
|
.TP
|
|
.B \-I
|
|
ignore digest to force checking of labels even if the stored SHA1 digest
|
|
matches the specfiles SHA1 digest. The digest will then be updated provided
|
|
there are no errors. See the
|
|
.B NOTES
|
|
section for further details.
|
|
.TP
|
|
.B \-D
|
|
Set or update any directory SHA1 digests. Use this option to
|
|
enable usage of the
|
|
.IR security.sehash
|
|
extended attribute.
|
|
.TP
|
|
.B \-m
|
|
do not read
|
|
.B /proc/mounts
|
|
to obtain a list of non-seclabel mounts to be excluded from relabeling checks.
|
|
Setting this option is useful where there is a non-seclabel fs mounted with a
|
|
seclabel fs mounted on a directory below this.
|
|
.TP
|
|
.B \-n
|
|
don't change any file labels (passive check). To display the files whose labels would be changed, add
|
|
.BR \-v .
|
|
.TP
|
|
.BI \-o \ outfilename
|
|
Deprecated - This option is no longer supported.
|
|
.TP
|
|
.B \-p
|
|
show progress by printing the number of files in 1k blocks unless relabeling the entire
|
|
OS, that will then show the approximate percentage complete. Note that the
|
|
.B \-p
|
|
and
|
|
.B \-v
|
|
options are mutually exclusive.
|
|
.TP
|
|
.B \-R, \-r
|
|
change files and directories file labels recursively (descend directories).
|
|
.br
|
|
.TP
|
|
.B \-v
|
|
show changes in file labels. Multiple -v options increase the verbosity. Note that the
|
|
.B \-v
|
|
and
|
|
.B \-p
|
|
options are mutually exclusive.
|
|
.TP
|
|
.B \-W
|
|
display warnings about entries that had no matching files by outputting the
|
|
.BR selabel_stats (3)
|
|
results.
|
|
.TP
|
|
.B \-0
|
|
the separator for the input items is assumed to be the null character
|
|
(instead of the white space). The quotes and the backslash characters are
|
|
also treated as normal characters that can form valid input.
|
|
This option finally also disables the end of file string, which is treated
|
|
like any other argument. Useful when input items might contain white space,
|
|
quote marks or backslashes. The
|
|
.B \-print0
|
|
option of GNU
|
|
.B find
|
|
produces input suitable for this mode.
|
|
.TP
|
|
.B \-x
|
|
prevent
|
|
.B restorecon
|
|
from crossing file system boundaries.
|
|
.TP
|
|
.BI \-T \ nthreads
|
|
use up to
|
|
.I nthreads
|
|
threads. Specify 0 to create as many threads as there are available
|
|
CPU cores; 1 to use only a single thread (default); or any positive
|
|
number to use the given number of threads (if possible).
|
|
.TP
|
|
.SH "ARGUMENTS"
|
|
.IR pathname \ ...
|
|
The pathname for the file(s) to be relabeled.
|
|
.SH "NOTES"
|
|
.IP "1." 4
|
|
.B restorecon
|
|
by default does not operate recursively on directories. Paths leading up the
|
|
final component of the file(s) are canonicalized using
|
|
.BR realpath (3)
|
|
before labeling.
|
|
.IP "2." 4
|
|
If the
|
|
.I pathname
|
|
specifies the root directory and the
|
|
.B \-vR
|
|
or
|
|
.B \-vr
|
|
options are set and the audit system is running, then an audit event is
|
|
automatically logged stating that a "mass relabel" took place using the
|
|
message label
|
|
.BR FS_RELABEL .
|
|
.IP "3." 4
|
|
To improve performance when relabeling file systems recursively (i.e. the
|
|
.B \-R
|
|
or
|
|
.B \-r
|
|
option is set),
|
|
the
|
|
.B \-D
|
|
option to
|
|
.B restorecon
|
|
will cause it to store a SHA1 digest of the default specfiles set in an extended
|
|
attribute named
|
|
.IR security.sehash
|
|
on each directory specified in
|
|
.IR pathname \ ...
|
|
once the relabeling has been completed successfully. These digests will be
|
|
checked should
|
|
.B restorecon
|
|
.B \-D
|
|
be rerun with the same
|
|
.I pathname
|
|
parameters. See
|
|
.BR selinux_restorecon (3)
|
|
for further details.
|
|
.sp
|
|
The
|
|
.B \-I
|
|
option will ignore the SHA1 digest from each directory specified in
|
|
.IR pathname \ ...
|
|
and provided the
|
|
.B \-n
|
|
option is NOT set and recursive mode is set, files will be relabeled as
|
|
required with the digests then being updated provided there are no errors.
|
|
|
|
.SH "AUTHOR"
|
|
This man page was written by Dan Walsh <dwalsh@redhat.com>.
|
|
Some of the content of this man page was taken from the setfiles
|
|
man page written by Russell Coker <russell@coker.com.au>.
|
|
The program was written by Dan Walsh <dwalsh@redhat.com>.
|
|
|
|
.SH "SEE ALSO"
|
|
.BR setfiles (8),
|
|
.BR fixfiles (8),
|
|
.BR load_policy (8),
|
|
.BR checkpolicy (8),
|
|
.BR customizable_types (5)
|