1selinux_restorecon(3) SELinux API documentation selinux_restorecon(3)
2
6 selinux_restorecon - restore file(s) default SELinux security contexts
7
9 #include <selinux/restorecon.h>
10 int selinux_restorecon(const char *pathname,
12 unsigned int restorecon_flags);
13
15 selinux_restorecon() restores file default security contexts on
16 filesystems that support extended attributes (see xattr(7)), based on:
17 pathname containing a directory or file to be relabeled.
19 If this is a directory and the restorecon_flags SELINUX_RESTORE‐
20 CON_RECURSE has been set (for decending through directories),
21 then selinux_restorecon() will write an SHA1 digest of the com‐
22 bined specfiles (see the NOTES section for details) to an
23 extended attribute of security.restorecon_last once the relabel‐
24 ing has been completed successfully. This digest will be checked
25 should selinux_restorecon() be rerun with the restorecon_flags
26 SELINUX_RESTORECON_RECURSE flag set. If any of the specfiles had
27 been updated, the digest will also be updated. However if the
28 digest is the same, no relabeling checks will take place (unless
29 the SELINUX_RESTORECON_IGNORE_DIGEST flag is set).
30 restorecon_flags contains the labeling option/rules as follows:
32 SELINUX_RESTORECON_IGNORE_DIGEST force the checking of
35 labels even if the stored SHA1 digest matches the spec‐
36 files SHA1 digest. The specfiles digest will be written
37 to the security.restorecon_last extended attribute once
38 relabeling has been completed successfully provided the
39 SELINUX_RESTORECON_NOCHANGE flag has not been set.
40 SELINUX_RESTORECON_NOCHANGE don't change any file labels
42 (passive check) or update the digest in the secu‐
43 rity.restorecon_last extended attribute.
44 SELINUX_RESTORECON_SET_SPECFILE_CTX If set, reset the
46 files label to match the default specfile context. If
47 not set only reset the files "type" component of the con‐
48 text to match the default specfile context.
49 SELINUX_RESTORECON_RECURSE change file and directory
52 labels recursively (descend directories) and if success‐
53 ful write an SHA1 digest of the combined specfiles to an
54 extended attribute as described in the NOTES section.
55 SELINUX_RESTORECON_VERBOSE log file label changes.
57 Note that if SELINUX_RESTORECON_VERBOSE and
58 SELINUX_RESTORECON_PROGRESS are set, then
59 SELINUX_RESTORECON_PROGRESS will take precedence.
60 SELINUX_RESTORECON_PROGRESS show progress by printing *
62 to stdout every 1000 files.
63 SELINUX_RESTORECON_REALPATH convert passed-in pathname to
65 the canonical pathname using realpath(3).
66 SELINUX_RESTORECON_XDEV prevent descending into directo‐
68 ries that have a different device number than the path‐
69 name entry from which the descent began.
70 The behavior regarding the checking and updating of the SHA1
72 digest described above is the default behavior. It is possible
73 to change this by first calling selabel_open(3) and not enabling
74 the SELABEL_OPT_DIGEST option, then calling selinux_restore‐
75 con_set_sehandle(3) to set the handle to be used by
76 selinux_restorecon(3).
77 If the pathname is a directory path, then it is possible to set
79 files/directories to be excluded from the path by calling
80 selinux_restorecon_set_exclude_list(3) with a NULL terminated
81 list before calling selinux_restorecon(3).
82
84 On success, zero is returned. On error, -1 is returned and errno is
85 set appropriately.
86
88 To improve performance when relabeling file systems recursively (e.g.
89 the restorecon_flags SELINUX_RESTORECON_RECURSE flag is set)
90 selinux_restorecon() will write an SHA1 digest of the specfiles that
91 are processed by selabel_open(3) to an extended attribute named secu‐
92 rity.restorecon_last to the directory specified in the pathname.
93 To check the extended attribute entry use getfattr(1), for example:
95 getfattr -e hex -n security.restorecon_last /
97 The SHA1 digest is calculated by selabel_open(3) concatenating the
99 specfiles it reads during initialisation with the resulting digest and
100 list of specfiles being retrieved by selabel_digest(3).
101 The specfiles consist of the mandatory file_contexts file plus any
103 subs, subs_dist, local and homedir entries (text or binary versions) as
104 determined by any selabel_open(3) options e.g. SELABEL_OPT_BASEONLY.
105 Should any of the specfiles have changed, then when selinux_restore‐
107 con() is run again with the SELINUX_RESTORECON_RECURSE flag set, a new
108 SHA1 digest will be calculated and all files will be automatically
109 relabeled depending on the settings of the SELINUX_RESTORECON_SET_SPEC‐
110 FILE_CTX flag (provided SELINUX_RESTORECON_NOCHANGE is not set).
111 /sys and in-memory filesystems do not support the security.restore‐
113 con_last extended attribute and are automatically excluded from any
114 relabeling checks.
115 selinux_restorecon() does not check whether mounted filesystems support
117 the seclabel option (i.e. support extended attributes as described in
118 xattr(7)). To exclude these filesystems from any relabeling checks
119 selinux_restorecon_set_exclude_list(3) should be called prior to
120 selinux_restorecon() with a NULL terminated exclude_list of these
121 filesystems.
122
124 selinux_restorecon_set_sehandle(3),
125 selinux_restorecon_default_handle(3),
126 selinux_restorecon_set_exclude_list(3),
127Security Enhanced Linux 20 Oct 2015 selinux_restorecon(3)