1selinux_restorecon(3) SELinux API documentation selinux_restorecon(3)
2
6 selinux_restorecon - restore file(s) default SELinux security contexts
7
9 #include <selinux/restorecon.h>
10 int selinux_restorecon(const char *pathname,
12 unsigned int restorecon_flags);
13
15 selinux_restorecon() restores file default security contexts on
16 filesystems that support extended attributes (see xattr(7)), based on:
17 pathname containing a directory or file to be relabeled.
19 If this is a directory and the restorecon_flags SELINUX_RESTORE‐
20 CON_RECURSE has been set (for descending through directories),
21 then selinux_restorecon() will write an SHA1 digest of the com‐
22 bined specfiles (see the NOTES section for details) to an
23 extended attribute of security.restorecon_last once the relabel‐
24 ing has been completed successfully. This digest will be checked
25 should selinux_restorecon() be rerun with the restorecon_flags
26 SELINUX_RESTORECON_RECURSE flag set. If any of the specfiles had
27 been updated, the digest will also be updated. However if the
28 digest is the same, no relabeling checks will take place (unless
29 the SELINUX_RESTORECON_IGNORE_DIGEST flag is set).
30 restorecon_flags contains the labeling option/rules as follows:
32 SELINUX_RESTORECON_IGNORE_DIGEST force the checking of
35 labels even if the stored SHA1 digest matches the spec‐
36 files SHA1 digest. The specfiles digest will be written
37 to the security.restorecon_last extended attribute once
38 relabeling has been completed successfully provided the
39 SELINUX_RESTORECON_NOCHANGE flag has not been set.
40 SELINUX_RESTORECON_NOCHANGE don't change any file labels
42 (passive check) or update the digest in the secu‐
43 rity.restorecon_last extended attribute.
44 SELINUX_RESTORECON_SET_SPECFILE_CTX If set, reset the
46 files label to match the default specfile context. If
47 not set only reset the files "type" component of the con‐
48 text to match the default specfile context.
49 SELINUX_RESTORECON_RECURSE change file and directory
51 labels recursively (descend directories) and if success‐
52 ful write an SHA1 digest of the combined specfiles to an
53 extended attribute as described in the NOTES section.
54 SELINUX_RESTORECON_VERBOSE log file label changes.
56 Note that if SELINUX_RESTORECON_VERBOSE and
57 SELINUX_RESTORECON_PROGRESS flags are set, then
58 SELINUX_RESTORECON_PROGRESS will take precedence.
59 SELINUX_RESTORECON_PROGRESS show progress by outputting
61 the number of files in 1k blocks processed to stdout. If
62 the SELINUX_RESTORECON_MASS_RELABEL flag is also set then
63 the approximate percentage complete will be shown.
64 SELINUX_RESTORECON_MASS_RELABEL generally set when rela‐
66 beling the entire OS, that will then show the approximate
67 percentage complete. The SELINUX_RESTORECON_PROGRESS flag
68 must also be set.
69 SELINUX_RESTORECON_REALPATH convert passed-in pathname to
71 the canonical pathname using realpath(3).
72 SELINUX_RESTORECON_XDEV prevent descending into directo‐
74 ries that have a different device number than the path‐
75 name entry from which the descent began.
76 SELINUX_RESTORECON_ADD_ASSOC attempt to add an associa‐
78 tion between an inode and a specification. If there is
79 already an association for the inode and it conflicts
80 with the specification, then use the last matching speci‐
81 fication.
82 SELINUX_RESTORECON_ABORT_ON_ERROR abort on errors during
84 the file tree walk.
85 SELINUX_RESTORECON_SYSLOG_CHANGES log any label changes
87 to syslog(3).
88 SELINUX_RESTORECON_LOG_MATCHES log what specfile context
90 matched each file.
91 SELINUX_RESTORECON_IGNORE_NOENTRY ignore files that do
93 not exist.
94 SELINUX_RESTORECON_IGNORE_MOUNTS do not read /proc/mounts
96 to obtain a list of non-seclabel mounts to be excluded
97 from relabeling checks.
98 Setting SELINUX_RESTORECON_IGNORE_MOUNTS is useful where
99 there is a non-seclabel fs mounted with a seclabel fs
100 mounted on a directory below this.
101 The behavior regarding the checking and updating of the SHA1
103 digest described above is the default behavior. It is possible
104 to change this by first calling selabel_open(3) and not enabling
105 the SELABEL_OPT_DIGEST option, then calling selinux_restore‐
106 con_set_sehandle(3) to set the handle to be used by
107 selinux_restorecon(3).
108 If the pathname is a directory path, then it is possible to set
110 directories to be excluded from the path by calling
111 selinux_restorecon_set_exclude_list(3) with a NULL terminated
112 list before calling selinux_restorecon(3).
113 By default selinux_restorecon(3) reads /proc/mounts to obtain a
115 list of non-seclabel mounts to be excluded from relabeling
116 checks unless the SELINUX_RESTORECON_IGNORE_MOUNTS flag has been
117 set.
118
120 On success, zero is returned. On error, -1 is returned and errno is
121 set appropriately.
122
124 1. To improve performance when relabeling file systems recursively
125 (e.g. the restorecon_flags SELINUX_RESTORECON_RECURSE flag is set)
126 selinux_restorecon() will write an SHA1 digest of the specfiles
127 that are processed by selabel_open(3) to an extended attribute
128 named security.restorecon_last to the directory specified in the
129 pathname.
130 2. To check the extended attribute entry use getfattr(1), for example:
132 getfattr -e hex -n security.restorecon_last /
134 3. The SHA1 digest is calculated by selabel_open(3) concatenating the
136 specfiles it reads during initialisation with the resulting digest
137 and list of specfiles being retrieved by selabel_digest(3).
138 4. The specfiles consist of the mandatory file_contexts file plus any
140 subs, subs_dist, local and homedir entries (text or binary ver‐
141 sions) as determined by any selabel_open(3) options e.g. SELA‐
142 BEL_OPT_BASEONLY.
143 Should any of the specfiles have changed, then when
145 selinux_restorecon() is run again with the SELINUX_RESTORE‐
146 CON_RECURSE flag set, a new SHA1 digest will be calculated and all
147 files will be automatically relabeled depending on the settings of
148 the SELINUX_RESTORECON_SET_SPECFILE_CTX flag (provided
149 SELINUX_RESTORECON_NOCHANGE is not set).
150 5. /sys and in-memory filesystems do not support the security.restore‐
152 con_last extended attribute and are automatically excluded from any
153 relabeling checks.
154 6. By default stderr is used to log output messages and errors. This
156 may be changed by calling selinux_set_callback(3) with the
157 SELINUX_CB_LOG type option.
158
160 selinux_restorecon_set_sehandle(3),
161 selinux_restorecon_default_handle(3),
162 selinux_restorecon_set_exclude_list(3),
163 selinux_restorecon_set_alt_rootpath(3),
164 selinux_restorecon_xattr(3),
165 selinux_set_callback(3)
166Security Enhanced Linux 20 Oct 2015 selinux_restorecon(3)