1selinux_restorecon(3) SELinux API documentation selinux_restorecon(3)
2
6 selinux_restorecon - restore file(s) default SELinux security contexts
7
9 #include <selinux/restorecon.h>
10 int selinux_restorecon(const char *pathname,
12 unsigned int restorecon_flags);
13
15 selinux_restorecon() restores file default security contexts on
16 filesystems that support extended attributes (see xattr(7)), based on:
17 pathname containing a directory or file to be relabeled.
19 If this is a directory and the restorecon_flags SELINUX_RESTORE‐
20 CON_RECURSE has been set (for descending through directories),
21 then selinux_restorecon() will write an SHA1 digest of specfile
22 entries calculated by selabel_get_digests_all_partial_matches(3)
23 to an extended attribute of security.sehash once the relabeling
24 has been completed successfully (see the NOTES section for
25 details).
26 These digests will be checked should selinux_restorecon() be
27 rerun with the restorecon_flags SELINUX_RESTORECON_RECURSE flag
28 set. If any of the specfile entries had been updated, the digest
29 will also be updated. However if the digest is the same, no
30 relabeling checks will take place.
31 The restorecon_flags that can be used to manage the usage of the
32 SHA1 digest are:
33 SELINUX_RESTORECON_SKIP_DIGEST
34 SELINUX_RESTORECON_IGNORE_DIGEST
35 restorecon_flags contains the labeling option/rules as follows:
37 SELINUX_RESTORECON_SKIP_DIGEST Do not check or update any
40 extended attribute security.sehash entries.
41 SELINUX_RESTORECON_IGNORE_DIGEST force the checking of
43 labels even if the stored SHA1 digest matches the spec‐
44 file entries SHA1 digest. The specfile entries digest
45 will be written to the security.sehash extended attribute
46 once relabeling has been completed successfully provided
47 the SELINUX_RESTORECON_NOCHANGE flag has not been set.
48 SELINUX_RESTORECON_NOCHANGE don't change any file labels
50 (passive check) or update the digest in the secu‐
51 rity.sehash extended attribute.
52 SELINUX_RESTORECON_SET_SPECFILE_CTX If set, reset the
54 files label to match the default specfile context. If
55 not set only reset the files "type" component of the con‐
56 text to match the default specfile context.
57 SELINUX_RESTORECON_RECURSE change file and directory
59 labels recursively (descend directories) and if success‐
60 ful write an SHA1 digest of the specfile entries to an
61 extended attribute as described in the NOTES section.
62 SELINUX_RESTORECON_VERBOSE log file label changes.
64 Note that if SELINUX_RESTORECON_VERBOSE and
65 SELINUX_RESTORECON_PROGRESS flags are set, then
66 SELINUX_RESTORECON_PROGRESS will take precedence.
67 SELINUX_RESTORECON_PROGRESS show progress by outputting
69 the number of files in 1k blocks processed to stdout. If
70 the SELINUX_RESTORECON_MASS_RELABEL flag is also set then
71 the approximate percentage complete will be shown.
72 SELINUX_RESTORECON_MASS_RELABEL generally set when rela‐
74 beling the entire OS, that will then show the approximate
75 percentage complete. The SELINUX_RESTORECON_PROGRESS flag
76 must also be set.
77 SELINUX_RESTORECON_REALPATH convert passed-in pathname to
79 the canonical pathname using realpath(3).
80 SELINUX_RESTORECON_XDEV prevent descending into directo‐
82 ries that have a different device number than the path‐
83 name entry from which the descent began.
84 SELINUX_RESTORECON_ADD_ASSOC attempt to add an associa‐
86 tion between an inode and a specification. If there is
87 already an association for the inode and it conflicts
88 with the specification, then use the last matching speci‐
89 fication.
90 SELINUX_RESTORECON_ABORT_ON_ERROR abort on errors during
92 the file tree walk.
93 SELINUX_RESTORECON_SYSLOG_CHANGES log any label changes
95 to syslog(3).
96 SELINUX_RESTORECON_LOG_MATCHES log what specfile context
98 matched each file.
99 SELINUX_RESTORECON_IGNORE_NOENTRY ignore files that do
101 not exist.
102 SELINUX_RESTORECON_IGNORE_MOUNTS do not read /proc/mounts
104 to obtain a list of non-seclabel mounts to be excluded
105 from relabeling checks.
106 Setting SELINUX_RESTORECON_IGNORE_MOUNTS is useful where
107 there is a non-seclabel fs mounted with a seclabel fs
108 mounted on a directory below this.
109 SELINUX_RESTORECON_CONFLICT_ERROR to treat conflicting
111 specifications, such as where two hardlinks for the same
112 inode have different contexts, as errors.
113 The behavior regarding the checking and updating of the SHA1
115 digest described above is the default behavior. It is possible
116 to change this by first calling selabel_open(3) and not enabling
117 the SELABEL_OPT_DIGEST option, then calling selinux_restore‐
118 con_set_sehandle(3) to set the handle to be used by
119 selinux_restorecon(3).
120 If the pathname is a directory path, then it is possible to set
122 directories to be excluded from the path by calling
123 selinux_restorecon_set_exclude_list(3) with a NULL terminated
124 list before calling selinux_restorecon(3).
125 By default selinux_restorecon(3) reads /proc/mounts to obtain a
127 list of non-seclabel mounts to be excluded from relabeling
128 checks unless the SELINUX_RESTORECON_IGNORE_MOUNTS flag has been
129 set.
130
132 On success, zero is returned. On error, -1 is returned and errno is
133 set appropriately.
134
136 1. To improve performance when relabeling file systems recursively
137 (e.g. the restorecon_flags SELINUX_RESTORECON_RECURSE flag is set)
138 selinux_restorecon() will write a calculated SHA1 digest of the
139 specfile entries returned by selabel_get_digests_all_par‐
140 tial_matches(3) to an extended attribute named security.sehash for
141 each directory in the pathname path.
142 2. To check the extended attribute entry use getfattr(1), for example:
144 getfattr -e hex -n security.sehash /
146 3. Should any of the specfile entries have changed, then when
148 selinux_restorecon() is run again with the SELINUX_RESTORE‐
149 CON_RECURSE flag set, new SHA1 digests will be calculated and all
150 files automatically relabeled depending on the settings of the
151 SELINUX_RESTORECON_SET_SPECFILE_CTX flag (provided SELINUX_RESTORE‐
152 CON_NOCHANGE is not set).
153 4. /sys and in-memory filesystems do not support the security.sehash
155 extended attribute and are automatically excluded from any relabel‐
156 ing checks.
157 5. By default stderr is used to log output messages and errors. This
159 may be changed by calling selinux_set_callback(3) with the
160 SELINUX_CB_LOG type option.
161
163 selabel_get_digests_all_partial_matches(3),
164 selinux_restorecon_set_sehandle(3),
165 selinux_restorecon_default_handle(3),
166 selinux_restorecon_set_exclude_list(3),
167 selinux_restorecon_set_alt_rootpath(3),
168 selinux_restorecon_xattr(3),
169 selinux_set_callback(3)
170Security Enhanced Linux 20 Oct 2015 selinux_restorecon(3)