dwww Home | Manual pages | Find package

selinux_restorecon(3)      SELinux API documentation     selinux_restorecon(3)

NAME
       selinux_restorecon - restore file(s) default SELinux security contexts

SYNOPSIS
       #include <selinux/restorecon.h>

       int selinux_restorecon(const char *pathname,
                              unsigned int restorecon_flags);

DESCRIPTION
       selinux_restorecon()   restores   file  default  security  contexts  on
       filesystems that support extended attributes (see xattr(7)), based on:

              pathname containing a directory or file to be relabeled.
              If this is a directory and the restorecon_flags SELINUX_RESTORE-
              CON_RECURSE  has  been set (for descending through directories),
              then selinux_restorecon() will write an SHA1 digest of  specfile
              entries calculated by selabel_get_digests_all_partial_matches(3)
              to an extended attribute of security.sehash once the  relabeling
              has  been  completed successfully (see the NOTES section for de-
              tails).
              These digests will be checked should selinux_restorecon() be re-
              run  with  the  restorecon_flags SELINUX_RESTORECON_RECURSE flag
              set. If any of the specfile entries had been updated, the digest
              will  also be updated. However if the digest is the same, no re-
              labeling checks will take place.
              The restorecon_flags that can be used to manage the usage of the
              SHA1 digest are:
                     SELINUX_RESTORECON_SKIP_DIGEST
                     SELINUX_RESTORECON_IGNORE_DIGEST

              restorecon_flags contains the labeling option/rules as follows:

                     SELINUX_RESTORECON_SKIP_DIGEST Do not check or update any
                     extended attribute security.sehash entries.

                     SELINUX_RESTORECON_IGNORE_DIGEST force  the  checking  of
                     labels  even  if the stored SHA1 digest matches the spec-
                     file entries SHA1 digest.  The  specfile  entries  digest
                     will be written to the security.sehash extended attribute
                     once relabeling has been completed successfully  provided
                     the SELINUX_RESTORECON_NOCHANGE flag has not been set.

                     SELINUX_RESTORECON_NOCHANGE  don't change any file labels
                     (passive check) or update the digest in the  security.se-
                     hash extended attribute.

                     SELINUX_RESTORECON_SET_SPECFILE_CTX  If  set,  reset  the
                     files label to match the default  specfile  context.   If
                     not set only reset the files "type" component of the con-
                     text to match the default specfile context.

                     SELINUX_RESTORECON_RECURSE change file and directory  la-
                     bels  recursively (descend directories) and if successful
                     write an SHA1 digest of the specfile entries  to  an  ex-
                     tended attribute as described in the NOTES section.

                     SELINUX_RESTORECON_VERBOSE log file label changes.
                            Note   that   if   SELINUX_RESTORECON_VERBOSE  and
                            SELINUX_RESTORECON_PROGRESS flags  are  set,  then
                            SELINUX_RESTORECON_PROGRESS will take precedence.

                     SELINUX_RESTORECON_PROGRESS  show  progress by outputting
                     the number of files in 1k blocks processed to stdout.  If
                     the SELINUX_RESTORECON_MASS_RELABEL flag is also set then
                     the approximate percentage complete will be shown.

                     SELINUX_RESTORECON_MASS_RELABEL generally set when  rela-
                     beling the entire OS, that will then show the approximate
                     percentage complete. The SELINUX_RESTORECON_PROGRESS flag
                     must also be set.

                     SELINUX_RESTORECON_REALPATH convert passed-in pathname to
                     the canonical pathname using realpath(3).

                     SELINUX_RESTORECON_XDEV prevent descending into  directo-
                     ries  that  have a different device number than the path-
                     name entry from which the descent began.

                     SELINUX_RESTORECON_ADD_ASSOC attempt to add  an  associa-
                     tion  between  an  inode and a specification. If there is
                     already an association for the  inode  and  it  conflicts
                     with the specification, then use the last matching speci-
                     fication.

                     SELINUX_RESTORECON_ABORT_ON_ERROR abort on errors  during
                     the file tree walk.

                     SELINUX_RESTORECON_SYSLOG_CHANGES  log  any label changes
                     to syslog(3).

                     SELINUX_RESTORECON_LOG_MATCHES log what specfile  context
                     matched each file.

                     SELINUX_RESTORECON_IGNORE_NOENTRY  ignore  files  that do
                     not exist.

                     SELINUX_RESTORECON_IGNORE_MOUNTS do not read /proc/mounts
                     to  obtain  a  list of non-seclabel mounts to be excluded
                     from relabeling checks.
                     Setting SELINUX_RESTORECON_IGNORE_MOUNTS is useful  where
                     there  is  a  non-seclabel  fs mounted with a seclabel fs
                     mounted on a directory below this.

                     SELINUX_RESTORECON_CONFLICT_ERROR  to  treat  conflicting
                     specifications,  such as where two hardlinks for the same
                     inode have different contexts, as errors.

              The behavior regarding the checking and updating of the SHA1 di-
              gest  described above is the default behavior. It is possible to
              change this by first calling selabel_open(3)  and  not  enabling
              the  SELABEL_OPT_DIGEST  option,  then  calling selinux_restore-
              con_set_sehandle(3) to set the handle to be used by  selinux_re-
              storecon(3).

              If  the pathname is a directory path, then it is possible to set
              directories to be excluded from the path by calling  selinux_re-
              storecon_set_exclude_list(3)  with a NULL terminated list before
              calling selinux_restorecon(3).

              By default selinux_restorecon(3) reads /proc/mounts to obtain  a
              list  of  non-seclabel  mounts  to  be  excluded from relabeling
              checks unless the SELINUX_RESTORECON_IGNORE_MOUNTS flag has been
              set.

RETURN VALUE
       On  success,  zero  is returned.  On error, -1 is returned and errno is
       set appropriately.

NOTES
       1.  To improve performance when  relabeling  file  systems  recursively
           (e.g.  the restorecon_flags SELINUX_RESTORECON_RECURSE flag is set)
           selinux_restorecon() will write a calculated  SHA1  digest  of  the
           specfile    entries    returned   by   selabel_get_digests_all_par-
           tial_matches(3) to an extended attribute named security.sehash  for
           each directory in the pathname path.

       2.  To check the extended attribute entry use getfattr(1), for example:

                  getfattr -e hex -n security.sehash /

       3.  Should  any  of  the  specfile  entries  have  changed,  then  when
           selinux_restorecon() is run again with  the  SELINUX_RESTORECON_RE-
           CURSE  flag  set, new SHA1 digests will be calculated and all files
           automatically  relabeled  depending  on   the   settings   of   the
           SELINUX_RESTORECON_SET_SPECFILE_CTX flag (provided SELINUX_RESTORE-
           CON_NOCHANGE is not set).

       4.  /sys and in-memory filesystems do not support  the  security.sehash
           extended attribute and are automatically excluded from any relabel-
           ing checks.

       5.  By default stderr is used to log output messages and  errors.  This
           may   be   changed  by  calling  selinux_set_callback(3)  with  the
           SELINUX_CB_LOG type option.

SEE ALSO
       selabel_get_digests_all_partial_matches(3),
       selinux_restorecon_set_sehandle(3),
       selinux_restorecon_default_handle(3),
       selinux_restorecon_set_exclude_list(3),
       selinux_restorecon_set_alt_rootpath(3),
       selinux_restorecon_xattr(3),
       selinux_set_callback(3)

Security Enhanced Linux           20 Oct 2015            selinux_restorecon(3)

Generated by dwww version 1.14 on Fri Jan 24 09:39:38 CET 2025.