summaryrefslogtreecommitdiff
path: root/static/unix-v10/man8/cl.8
diff options
context:
space:
mode:
Diffstat (limited to 'static/unix-v10/man8/cl.8')
-rw-r--r--static/unix-v10/man8/cl.8100
1 files changed, 100 insertions, 0 deletions
diff --git a/static/unix-v10/man8/cl.8 b/static/unix-v10/man8/cl.8
new file mode 100644
index 00000000..75a0de9e
--- /dev/null
+++ b/static/unix-v10/man8/cl.8
@@ -0,0 +1,100 @@
+.TH CL 8
+.CT 1 sa_nonmortals
+.SH NAME
+cl, integrity \- file system label check
+.SH SYNOPSIS
+.B /etc/cl
+[
+.IR specfile " | " dir
+] ...
+.PP
+.B /etc/integrity
+[
+.I rootdir
+]
+.SH DESCRIPTION
+.I Cl
+examines file trees for correctness of labels.
+Each
+.I specfile
+argument names a file containing a description
+of the labels expected in a given subtree of a file system.
+Each line of a
+.I specfile
+has the form
+.IP
+.L
+filename uid,gid mode capabilities licenses label
+.LP
+User and group ids are specified in the style of
+.IR chown (8).
+The mode is specified in the style of
+.IR chmod (2);
+only the 07777 bits are significant.
+Capabilities and licenses are in the style of
+.IR atopriv ;
+see
+.IR labtoa (3).
+The label is in the style of
+.IR atolab,
+without capabilities or licenses.
+.PP
+The first valid line names the root of the tree in question.
+Subsequent lines name particular files in the tree.
+A report is made for each `suspicious' file and for each
+particular file which does
+not match its description in
+.IR specfile .
+.LP
+A suspicious file is a file that is not named in the
+.I specfile
+for which one of the following holds:
+.IP
+The label has flag
+.B L_UNDEF
+or
+.BR L_YES .
+.br
+The file is a special file the label flag is
+.BR L_NO .
+.br
+The file is not a special file the label flag is not
+.BR L_NO .
+.br
+The lattice value of the label is not dominated by the
+label in the first line of
+.IR specfile .
+.br
+The capability or license is not dominated by the corresponding
+value in the first line of
+.IR specfile .
+.LP
+Each named directory argument
+.I dir
+is treated as if there were a
+.I specfile
+argument
+consisting of just a single line
+.IP
+.EX
+\fIdir\fP bin,bin 666 ----- ----- 0000...
+.EE
+.I Integrity
+surveys the directory tree dependent from
+.I rootdir,
+or
+.L /
+if no
+.I rootdir
+is given.
+It reports non-bottom labels, which are possible signs
+of loss of integrity \- modification without privilege.
+The search cuts off at directories with non-bottom labels.
+.SH "SEE ALSO"
+.IR getflab (2),
+.IR ftw (3),
+.IR lcheck (8)
+.SH BUGS
+Extraneous diagnostics
+may be produced if this command is applied to
+active file systems.
generated by cgit v1.2.3 (git 2.46.0) at 2026-05-15 11:44:42 +0000