1selinux_restorecon(3)      SELinux API documentation     selinux_restorecon(3)
2
3
4

NAME

6       selinux_restorecon - restore file(s) default SELinux security contexts
7

SYNOPSIS

9       #include <selinux/restorecon.h>
10
11       int selinux_restorecon(const char *pathname,
12                              unsigned int restorecon_flags);
13

DESCRIPTION

15       selinux_restorecon()   restores   file  default  security  contexts  on
16       filesystems that support extended attributes (see xattr(7)), based on:
17
18              pathname containing a directory or file to be relabeled.
19              If this is a directory and the restorecon_flags SELINUX_RESTORE‐
20              CON_RECURSE  has  been set (for descending through directories),
21              then selinux_restorecon() will write an SHA1 digest of  specfile
22              entries calculated by selabel_get_digests_all_partial_matches(3)
23              to an extended attribute of security.sehash once the  relabeling
24              has  been  completed  successfully  (see  the  NOTES section for
25              details).
26              These digests will be  checked  should  selinux_restorecon()  be
27              rerun  with the restorecon_flags SELINUX_RESTORECON_RECURSE flag
28              set. If any of the specfile entries had been updated, the digest
29              will  also  be  updated.  However  if the digest is the same, no
30              relabeling checks will take place.
31              The restorecon_flags that can be used to manage the usage of the
32              SHA1 digest are:
33                     SELINUX_RESTORECON_SKIP_DIGEST
34                     SELINUX_RESTORECON_IGNORE_DIGEST
35
36              restorecon_flags contains the labeling option/rules as follows:
37
38
39                     SELINUX_RESTORECON_SKIP_DIGEST Do not check or update any
40                     extended attribute security.sehash entries.
41
42                     SELINUX_RESTORECON_IGNORE_DIGEST force  the  checking  of
43                     labels  even  if the stored SHA1 digest matches the spec‐
44                     file entries SHA1 digest.  The  specfile  entries  digest
45                     will be written to the security.sehash extended attribute
46                     once relabeling has been completed successfully  provided
47                     the SELINUX_RESTORECON_NOCHANGE flag has not been set.
48
49                     SELINUX_RESTORECON_NOCHANGE  don't change any file labels
50                     (passive  check)  or  update  the  digest  in  the  secu‐
51                     rity.sehash extended attribute.
52
53                     SELINUX_RESTORECON_SET_SPECFILE_CTX  If  set,  reset  the
54                     files label to match the default  specfile  context.   If
55                     not set only reset the files "type" component of the con‐
56                     text to match the default specfile context.
57
58                     SELINUX_RESTORECON_RECURSE  change  file  and   directory
59                     labels  recursively (descend directories) and if success‐
60                     ful write an SHA1 digest of the specfile  entries  to  an
61                     extended attribute as described in the NOTES section.
62
63                     SELINUX_RESTORECON_VERBOSE log file label changes.
64                            Note   that   if   SELINUX_RESTORECON_VERBOSE  and
65                            SELINUX_RESTORECON_PROGRESS flags  are  set,  then
66                            SELINUX_RESTORECON_PROGRESS will take precedence.
67
68                     SELINUX_RESTORECON_PROGRESS  show  progress by outputting
69                     the number of files in 1k blocks processed to stdout.  If
70                     the SELINUX_RESTORECON_MASS_RELABEL flag is also set then
71                     the approximate percentage complete will be shown.
72
73                     SELINUX_RESTORECON_MASS_RELABEL generally set when  rela‐
74                     beling the entire OS, that will then show the approximate
75                     percentage complete. The SELINUX_RESTORECON_PROGRESS flag
76                     must also be set.
77
78                     SELINUX_RESTORECON_REALPATH convert passed-in pathname to
79                     the canonical pathname using realpath(3).
80
81                     SELINUX_RESTORECON_XDEV prevent descending into  directo‐
82                     ries  that  have a different device number than the path‐
83                     name entry from which the descent began.
84
85                     SELINUX_RESTORECON_ADD_ASSOC attempt to add  an  associa‐
86                     tion  between  an  inode and a specification. If there is
87                     already an association for the  inode  and  it  conflicts
88                     with the specification, then use the last matching speci‐
89                     fication.
90
91                     SELINUX_RESTORECON_ABORT_ON_ERROR abort on errors  during
92                     the file tree walk.
93
94                     SELINUX_RESTORECON_SYSLOG_CHANGES  log  any label changes
95                     to syslog(3).
96
97                     SELINUX_RESTORECON_LOG_MATCHES log what specfile  context
98                     matched each file.
99
100                     SELINUX_RESTORECON_IGNORE_NOENTRY  ignore  files  that do
101                     not exist.
102
103                     SELINUX_RESTORECON_IGNORE_MOUNTS do not read /proc/mounts
104                     to  obtain  a  list of non-seclabel mounts to be excluded
105                     from relabeling checks.
106                     Setting SELINUX_RESTORECON_IGNORE_MOUNTS is useful  where
107                     there  is  a  non-seclabel  fs mounted with a seclabel fs
108                     mounted on a directory below this.
109
110                     SELINUX_RESTORECON_CONFLICT_ERROR  to  treat  conflicting
111                     specifications,  such as where two hardlinks for the same
112                     inode have different contexts, as errors.
113
114              The behavior regarding the checking and  updating  of  the  SHA1
115              digest  described  above is the default behavior. It is possible
116              to change this by first calling selabel_open(3) and not enabling
117              the  SELABEL_OPT_DIGEST  option,  then  calling selinux_restore‐
118              con_set_sehandle(3)  to  set  the   handle   to   be   used   by
119              selinux_restorecon(3).
120
121              If  the pathname is a directory path, then it is possible to set
122              directories  to  be  excluded   from   the   path   by   calling
123              selinux_restorecon_set_exclude_list(3)  with  a  NULL terminated
124              list before calling selinux_restorecon(3).
125
126              By default selinux_restorecon(3) reads /proc/mounts to obtain  a
127              list  of  non-seclabel  mounts  to  be  excluded from relabeling
128              checks unless the SELINUX_RESTORECON_IGNORE_MOUNTS flag has been
129              set.
130

RETURN VALUE

132       On  success,  zero  is returned.  On error, -1 is returned and errno is
133       set appropriately.
134

NOTES

136       1.  To improve performance when  relabeling  file  systems  recursively
137           (e.g.  the restorecon_flags SELINUX_RESTORECON_RECURSE flag is set)
138           selinux_restorecon() will write a calculated  SHA1  digest  of  the
139           specfile    entries    returned   by   selabel_get_digests_all_par‐
140           tial_matches(3) to an extended attribute named security.sehash  for
141           each directory in the pathname path.
142
143       2.  To check the extended attribute entry use getfattr(1), for example:
144
145                  getfattr -e hex -n security.sehash /
146
147       3.  Should  any  of  the  specfile  entries  have  changed,  then  when
148           selinux_restorecon()  is  run  again  with   the   SELINUX_RESTORE‐
149           CON_RECURSE  flag  set, new SHA1 digests will be calculated and all
150           files automatically relabeled depending  on  the  settings  of  the
151           SELINUX_RESTORECON_SET_SPECFILE_CTX flag (provided SELINUX_RESTORE‐
152           CON_NOCHANGE is not set).
153
154       4.  /sys and in-memory filesystems do not support  the  security.sehash
155           extended attribute and are automatically excluded from any relabel‐
156           ing checks.
157
158       5.  By default stderr is used to log output messages and  errors.  This
159           may   be   changed  by  calling  selinux_set_callback(3)  with  the
160           SELINUX_CB_LOG type option.
161

SEE ALSO

163       selabel_get_digests_all_partial_matches(3),
164       selinux_restorecon_set_sehandle(3),
165       selinux_restorecon_default_handle(3),
166       selinux_restorecon_set_exclude_list(3),
167       selinux_restorecon_set_alt_rootpath(3),
168       selinux_restorecon_xattr(3),
169       selinux_set_callback(3)
170
171
172
173Security Enhanced Linux           20 Oct 2015            selinux_restorecon(3)
Impressum