1selinux_restorecon_xattr(3)SELinux API documentationselinux_restorecon_xattr(3)
2
3
4
6 selinux_restorecon_xattr - manage default security.restorecon_last
7 extended attribute entries added by selinux_restorecon(3), setfiles(8)
8 or restorecon(8).
9
10
12 #include <selinux/restorecon.h>
13
14 int selinux_restorecon_xattr(const char *pathname,
15 unsigned int xattr_flags,
16 struct dir_xattr ***xattr_list);
17
19 selinux_restorecon_xattr() returns a linked list of dir_xattr struc‐
20 tures containing information described below based on:
21
22 pathname containing a directory tree to be searched for secu‐
23 rity.restorecon_last extended attribute entries.
24
25 xattr_flags contains options as follows:
26
27
28 SELINUX_RESTORECON_XATTR_RECURSE recursively descend
29 directories.
30
31 SELINUX_RESTORECON_XATTR_DELETE_NONMATCH_DIGESTS delete
32 non-matching digests from each directory in pathname.
33
34 SELINUX_RESTORECON_XATTR_DELETE_ALL_DIGESTS delete all
35 digests from each directory in pathname.
36
37 SELINUX_RESTORECON_XATTR_IGNORE_MOUNTS do not read
38 /proc/mounts to obtain a list of non-seclabel mounts to
39 be excluded from the search.
40 Setting SELINUX_RESTORECON_XATTR_IGNORE_MOUNTS is useful
41 where there is a non-seclabel fs mounted with a seclabel
42 fs mounted on a directory below this.
43
44 xattr_list is the returned pointer to a linked list of dir_xattr
45 structures, each containing the following information:
46
47 struct dir_xattr {
48 char *directory;
49 char *digest; /* Printable hex encoded string */
50 enum digest_result result;
51 struct dir_xattr *next;
52 };
53
54 The result entry is enumerated as follows:
55 enum digest_result {
56 MATCH = 0,
57 NOMATCH,
58 DELETED_MATCH,
59 DELETED_NOMATCH,
60 ERROR
61 };
62
63 xattr_list must be set to NULL before calling selinux_restore‐
64 con_xattr(3). The caller is responsible for freeing the
65 returned xattr_list entries in the linked list.
66
67 See the NOTES section for more information.
68
69
71 On success, zero is returned. On error, -1 is returned and errno is
72 set appropriately.
73
74
76 1. By default selinux_restorecon_xattr(3) will use the default set of
77 specfiles described in files_contexts(5) to calculate the initial
78 SHA1 digest to be used for comparison. To change this default
79 behavior selabel_open(3) must be called specifying the required
80 SELABEL_OPT_PATH and setting the SELABEL_OPT_DIGEST option to a
81 non-NULL value. selinux_restorecon_set_sehandle(3) is then called
82 to set the handle to be used by selinux_restorecon_xattr(3).
83
84 2. By default selinux_restorecon_xattr(3) reads /proc/mounts to obtain
85 a list of non-seclabel mounts to be excluded from searches unless
86 the SELINUX_RESTORECON_XATTR_IGNORE_MOUNTS flag has been set.
87
88 3. RAMFS and TMPFS filesystems do not support the security.restore‐
89 con_last extended attribute and are automatically excluded from
90 searches.
91
92 4. By default stderr is used to log output messages and errors. This
93 may be changed by calling selinux_set_callback(3) with the
94 SELINUX_CB_LOG type option.
95
96
98 selinux_restorecon(3)
99 selinux_restorecon_set_sehandle(3),
100 selinux_restorecon_default_handle(3),
101 selinux_restorecon_set_exclude_list(3),
102 selinux_restorecon_set_alt_rootpath(3),
103 selinux_set_callback(3)
104
105
106
107 30 July 2016 selinux_restorecon_xattr(3)