@@ -36,6 +36,7 @@ void restore_init(struct restore_opts *opts)
opts->restorecon_flags = 0;
opts->restorecon_flags = opts->nochange | opts->verbose |
opts->progress | opts->set_specctx |
+ opts->set_user_role |
opts->add_assoc | opts->ignore_digest |
opts->recurse | opts->userealpath |
opts->xdev | opts->abort_on_error |
@@ -24,6 +24,7 @@ struct restore_opts {
unsigned int progress;
unsigned int mass_relabel;
unsigned int set_specctx;
+ unsigned int set_user_role;
unsigned int add_assoc;
unsigned int ignore_digest;
unsigned int recurse;
@@ -11,6 +11,7 @@ restorecon \- restore file(s) default SELinux security contexts.
.RB [ \-v ]
.RB [ \-i ]
.RB [ \-F ]
+.RB [ \-U ]
.RB [ \-W ]
.RB [ \-I | \-D ]
.RB [ \-x ]
@@ -30,6 +31,7 @@ restorecon \- restore file(s) default SELinux security contexts.
.RB [ \-v ]
.RB [ \-i ]
.RB [ \-F ]
+.RB [ \-U ]
.RB [ \-W ]
.RB [ \-I | \-D ]
.RB [ \-x ]
@@ -60,7 +62,9 @@ context,
will only modify the type portion of the security context.
The
.B \-F
-option will force a replacement of the entire context.
+and
+.B \-U
+options will force a replacement of the entire context.
.P
If a file is labeled with
.BR customizable
@@ -88,6 +92,10 @@ for
Force reset of context to match file_context for customizable files, and the
default file context, changing the user, role, range portion as well as the type.
.TP
+.B \-U
+In addition to the type portion also change the user and role portions, but
+not the range portion.
+.TP
.B \-h, \-?
display usage information and exit.
.TP
@@ -19,6 +19,7 @@ setfiles \- set SELinux file security contexts.
.RB [ \-v ]
.RB [ \-W ]
.RB [ \-F ]
+.RB [ \-U ]
.RB [ \-I | \-D ]
.RB [ \-T
.IR nthreads ]
@@ -52,8 +53,12 @@ context,
.B setfiles
will only modify the type portion of the security context.
The
+.B \-U
+option will also modify the user and role portions of the security context.
+The
.B \-F
-option will force a replacement of the entire context.
+option will force a replacement of the entire context, including the range
+portion of the security context and modify customizable files.
.SH "OPTIONS"
.TP
.B \-c
@@ -88,6 +93,10 @@ Force reset of context to match file_context for customizable files, and the
default file context, changing the user, role, range portion as well as the
type.
.TP
+.B \-U
+In addition to the type portion also change the user and role portions, but
+not the range portion.
+.TP
.B \-h, \-?
display usage information and exit.
.TP
@@ -35,14 +35,14 @@ static __attribute__((__noreturn__)) void usage(const char *const name)
{
if (iamrestorecon) {
fprintf(stderr,
- "usage: %s [-iIDFmnprRv0xT] [-e excludedir] pathname...\n"
- "usage: %s [-iIDFmnprRv0xT] [-e excludedir] -f filename\n",
+ "usage: %s [-iIDFUmnprRv0xT] [-e excludedir] pathname...\n"
+ "usage: %s [-iIDFUmnprRv0xT] [-e excludedir] -f filename\n",
name, name);
} else {
fprintf(stderr,
- "usage: %s [-diIDlmnpqvCEFWT] [-e excludedir] [-r alt_root_path] [-c policyfile] spec_file pathname...\n"
- "usage: %s [-diIDlmnpqvCEFWT] [-e excludedir] [-r alt_root_path] [-c policyfile] spec_file -f filename\n"
- "usage: %s -s [-diIDlmnpqvFWT] spec_file\n",
+ "usage: %s [-diIDlmnpqvCEFUWT] [-e excludedir] [-r alt_root_path] [-c policyfile] spec_file pathname...\n"
+ "usage: %s [-diIDlmnpqvCEFUWT] [-e excludedir] [-r alt_root_path] [-c policyfile] spec_file -f filename\n"
+ "usage: %s -s [-diIDlmnpqvFUWT] spec_file\n",
name, name, name);
}
exit(-1);
@@ -146,8 +146,8 @@ int main(int argc, char **argv)
size_t buf_len, nthreads = 1;
const char *base;
int errors = 0;
- const char *ropts = "e:f:hiIDlmno:pqrsvFRW0xT:";
- const char *sopts = "c:de:f:hiIDlmno:pqr:svCEFR:W0T:";
+ const char *ropts = "e:f:hiIDlmno:pqrsvFURW0xT:";
+ const char *sopts = "c:de:f:hiIDlmno:pqr:svCEFUR:W0T:";
const char *opts;
union selinux_callback cb;
long unsigned skipped_errors;
@@ -298,6 +298,10 @@ int main(int argc, char **argv)
r_opts.set_specctx =
SELINUX_RESTORECON_SET_SPECFILE_CTX;
break;
+ case 'U':
+ r_opts.set_user_role =
+ SELINUX_RESTORECON_SET_USER_ROLE;
+ break;
case 'm':
r_opts.ignore_mounts =
SELINUX_RESTORECON_IGNORE_MOUNTS;