diff options
Diffstat (limited to 'static/v10/man8/cl.8')
| -rw-r--r-- | static/v10/man8/cl.8 | 100 |
1 files changed, 100 insertions, 0 deletions
diff --git a/static/v10/man8/cl.8 b/static/v10/man8/cl.8 new file mode 100644 index 00000000..75a0de9e --- /dev/null +++ b/static/v10/man8/cl.8 @@ -0,0 +1,100 @@ +.TH CL 8 +.CT 1 sa_nonmortals +.SH NAME +cl, integrity \- file system label check +.SH SYNOPSIS +.B /etc/cl +[ +.IR specfile " | " dir +] ... +.PP +.B /etc/integrity +[ +.I rootdir +] +.SH DESCRIPTION +.I Cl +examines file trees for correctness of labels. +Each +.I specfile +argument names a file containing a description +of the labels expected in a given subtree of a file system. +Each line of a +.I specfile +has the form +.IP +.L +filename uid,gid mode capabilities licenses label +.LP +User and group ids are specified in the style of +.IR chown (8). +The mode is specified in the style of +.IR chmod (2); +only the 07777 bits are significant. +Capabilities and licenses are in the style of +.IR atopriv ; +see +.IR labtoa (3). +The label is in the style of +.IR atolab, +without capabilities or licenses. +.PP +The first valid line names the root of the tree in question. +Subsequent lines name particular files in the tree. +A report is made for each `suspicious' file and for each +particular file which does +not match its description in +.IR specfile . +.LP +A suspicious file is a file that is not named in the +.I specfile +for which one of the following holds: +.IP +The label has flag +.B L_UNDEF +or +.BR L_YES . +.br +The file is a special file the label flag is +.BR L_NO . +.br +The file is not a special file the label flag is not +.BR L_NO . +.br +The lattice value of the label is not dominated by the +label in the first line of +.IR specfile . +.br +The capability or license is not dominated by the corresponding +value in the first line of +.IR specfile . +.LP +Each named directory argument +.I dir +is treated as if there were a +.I specfile +argument +consisting of just a single line +.IP +.EX +\fIdir\fP bin,bin 666 ----- ----- 0000... +.EE +.I Integrity +surveys the directory tree dependent from +.I rootdir, +or +.L / +if no +.I rootdir +is given. +It reports non-bottom labels, which are possible signs +of loss of integrity \- modification without privilege. +The search cuts off at directories with non-bottom labels. +.SH "SEE ALSO" +.IR getflab (2), +.IR ftw (3), +.IR lcheck (8) +.SH BUGS +Extraneous diagnostics +may be produced if this command is applied to +active file systems. |