| .TH "restorecon_xattr" "8" "24 Sept 2016" "" "SELinux User Command" |
| .SH "NAME" |
| restorecon_xattr \- manage |
| .I security.sehash |
| extended attribute entries added by |
| .BR setfiles (8) |
| or |
| .BR restorecon (8). |
| |
| .SH "SYNOPSIS" |
| .B restorecon_xattr |
| .RB [ \-d ] |
| .RB [ \-D ] |
| .RB [ \-m ] |
| .RB [ \-n ] |
| .RB [ \-r ] |
| .RB [ \-v ] |
| .RB [ \-e |
| .IR directory ] |
| .RB [ \-f |
| .IR specfile ] |
| .I pathname |
| |
| .SH "DESCRIPTION" |
| .B restorecon_xattr |
| will display the SHA1 digests added to extended attributes |
| .I security.sehash |
| or delete the attribute completely. These attributes are set by |
| .BR restorecon (8) |
| or |
| .BR setfiles (8) |
| to specified directories when relabeling recursively. |
| .sp |
| .B restorecon_xattr |
| is useful for managing the extended attribute entries particularly when |
| users forget what directories they ran |
| .BR restorecon (8) |
| or |
| .BR setfiles (8) |
| from. |
| .sp |
| .B RAMFS |
| and |
| .B TMPFS |
| filesystems do not support the |
| .I security.sehash |
| extended attribute and are automatically excluded from searches. |
| .sp |
| By default |
| .B restorecon_xattr |
| will display the SHA1 digests with "Match" appended if they match the default |
| specfile set or the |
| .I specfile |
| set used with the |
| .B \-f |
| option. Non-matching SHA1 digests will be displayed with "No Match" appended. |
| This feature can be disabled by the |
| .B \-n |
| option. |
| |
| .SH "OPTIONS" |
| .TP |
| .B \-d |
| delete all non-matching |
| .I security.sehash |
| directory digest entries. |
| .TP |
| .B \-D |
| delete all |
| .I security.sehash |
| directory digest entries. |
| .TP |
| .B \-m |
| do not read |
| .B /proc/mounts |
| to obtain a list of non-seclabel mounts to be excluded from relabeling checks. |
| .br |
| Setting |
| .B \-m |
| is useful where there is a non-seclabel fs mounted with a seclabel fs mounted |
| on a directory below this. |
| .TP |
| .B \-n |
| Do not append "Match" or "No Match" to displayed digests. |
| .TP |
| .B \-r |
| recursively descend directories. |
| .TP |
| .B \-v |
| display SHA1 digest generated by specfile set (Note that this digest is not |
| used to match the |
| .I security.sehash |
| directory digest entries, and is shown for reference only). |
| .TP |
| .B \-e |
| .I directory |
| .br |
| directory to exclude (repeat option for more than one directory). |
| .TP |
| .B \-f |
| .I specfile |
| .br |
| an optional |
| .I specfile |
| containing file context entries as described in |
| .BR file_contexts (5). |
| If the option is not specified, then the default file_contexts will be used. |
| |
| .SH "ARGUMENTS" |
| .TP |
| .I pathname |
| .br |
| the pathname of the directory tree to be searched. |
| |
| .SH "SEE ALSO" |
| .BR restorecon (8), |
| .BR setfiles (8) |