NAME | SYNOPSIS | DESCRIPTION | RETURN VALUE | NOTES | SEE ALSO | COLOPHON

selinux_restorecon(3)     SELinux API documentation    selinux_restorecon(3)

NAME         top

       selinux_restorecon  -  restore  file(s) default SELinux security con‐
       texts

SYNOPSIS         top

       #include <selinux/restorecon.h>

       int selinux_restorecon(const char *pathname,
                              unsigned int restorecon_flags);

DESCRIPTION         top

       selinux_restorecon() restores file default security contexts on
       filesystems that support extended attributes (see xattr(7)), based
       on:

              pathname containing a directory or file to be relabeled.
              If this is a directory and the restorecon_flags
              SELINUX_RESTORECON_RECURSE has been set (for descending
              through directories), then selinux_restorecon() will write an
              SHA1 digest of the combined specfiles (see the NOTES section
              for details) to an extended attribute of
              security.restorecon_last once the relabeling has been
              completed successfully. This digest will be checked should
              selinux_restorecon() be rerun with the restorecon_flags
              SELINUX_RESTORECON_RECURSE flag set. If any of the specfiles
              had been updated, the digest will also be updated. However if
              the digest is the same, no relabeling checks will take place
              (unless the SELINUX_RESTORECON_IGNORE_DIGEST flag is set).

              restorecon_flags contains the labeling option/rules as
              follows:

                     SELINUX_RESTORECON_IGNORE_DIGEST force the checking of
                     labels even if the stored SHA1 digest matches the
                     specfiles SHA1 digest. The specfiles digest will be
                     written to the security.restorecon_last extended
                     attribute once relabeling has been completed
                     successfully provided the SELINUX_RESTORECON_NOCHANGE
                     flag has not been set.

                     SELINUX_RESTORECON_NOCHANGE don't change any file
                     labels (passive check) or update the digest in the
                     security.restorecon_last extended attribute.

                     SELINUX_RESTORECON_SET_SPECFILE_CTX If set, reset the
                     files label to match the default specfile context.  If
                     not set only reset the files "type" component of the
                     context to match the default specfile context.

                     SELINUX_RESTORECON_RECURSE change file and directory
                     labels recursively (descend directories) and if
                     successful write an SHA1 digest of the combined
                     specfiles to an extended attribute as described in the
                     NOTES section.

                     SELINUX_RESTORECON_VERBOSE log file label changes.
                            Note that if SELINUX_RESTORECON_VERBOSE and
                            SELINUX_RESTORECON_PROGRESS flags are set, then
                            SELINUX_RESTORECON_PROGRESS will take
                            precedence.

                     SELINUX_RESTORECON_PROGRESS show progress by outputting
                     the number of files in 1k blocks processed to stdout.
                     If the SELINUX_RESTORECON_MASS_RELABEL flag is also set
                     then the approximate percentage complete will be shown.

                     SELINUX_RESTORECON_MASS_RELABEL generally set when
                     relabeling the entire OS, that will then show the
                     approximate percentage complete. The
                     SELINUX_RESTORECON_PROGRESS flag must also be set.

                     SELINUX_RESTORECON_REALPATH convert passed-in pathname
                     to the canonical pathname using realpath(3).

                     SELINUX_RESTORECON_XDEV prevent descending into
                     directories that have a different device number than
                     the pathname entry from which the descent began.

                     SELINUX_RESTORECON_ADD_ASSOC attempt to add an
                     association between an inode and a specification. If
                     there is already an association for the inode and it
                     conflicts with the specification, then use the last
                     matching specification.

                     SELINUX_RESTORECON_ABORT_ON_ERROR abort on errors
                     during the file tree walk.

                     SELINUX_RESTORECON_SYSLOG_CHANGES log any label changes
                     to syslog(3).

                     SELINUX_RESTORECON_LOG_MATCHES log what specfile
                     context matched each file.

                     SELINUX_RESTORECON_IGNORE_NOENTRY ignore files that do
                     not exist.

                     SELINUX_RESTORECON_IGNORE_MOUNTS do not read
                     /proc/mounts to obtain a list of non-seclabel mounts to
                     be excluded from relabeling checks.
                     Setting SELINUX_RESTORECON_IGNORE_MOUNTS is useful
                     where there is a non-seclabel fs mounted with a
                     seclabel fs mounted on a directory below this.

              The behavior regarding the checking and updating of the SHA1
              digest described above is the default behavior. It is possible
              to change this by first calling selabel_open(3) and not
              enabling the SELABEL_OPT_DIGEST option, then calling
              selinux_restorecon_set_sehandle(3) to set the handle to be
              used by selinux_restorecon(3).

              If the pathname is a directory path, then it is possible to
              set directories to be excluded from the path by calling
              selinux_restorecon_set_exclude_list(3) with a NULL terminated
              list before calling selinux_restorecon(3).

              By default selinux_restorecon(3) reads /proc/mounts to obtain
              a list of non-seclabel mounts to be excluded from relabeling
              checks unless the SELINUX_RESTORECON_IGNORE_MOUNTS flag has
              been set.

RETURN VALUE         top

       On success, zero is returned.  On error, -1 is returned and errno is
       set appropriately.

NOTES         top

       1.  To improve performance when relabeling file systems recursively
           (e.g. the restorecon_flags SELINUX_RESTORECON_RECURSE flag is
           set) selinux_restorecon() will write an SHA1 digest of the
           specfiles that are processed by selabel_open(3) to an extended
           attribute named security.restorecon_last to the directory
           specified in the pathname.

       2.  To check the extended attribute entry use getfattr(1), for
           example:

                  getfattr -e hex -n security.restorecon_last /

       3.  The SHA1 digest is calculated by selabel_open(3) concatenating
           the specfiles it reads during initialisation with the resulting
           digest and list of specfiles being retrieved by
           selabel_digest(3).

       4.  The specfiles consist of the mandatory file_contexts file plus
           any subs, subs_dist, local and homedir entries (text or binary
           versions) as determined by any selabel_open(3) options e.g.
           SELABEL_OPT_BASEONLY.

           Should any of the specfiles have changed, then when
           selinux_restorecon() is run again with the
           SELINUX_RESTORECON_RECURSE flag set, a new SHA1 digest will be
           calculated and all files will be automatically relabeled
           depending on the settings of the
           SELINUX_RESTORECON_SET_SPECFILE_CTX flag (provided
           SELINUX_RESTORECON_NOCHANGE is not set).

       5.  /sys and in-memory filesystems do not support the
           security.restorecon_last extended attribute and are automatically
           excluded from any relabeling checks.

       6.  By default stderr is used to log output messages and errors. This
           may be changed by calling selinux_set_callback(3) with the
           SELINUX_CB_LOG type option.

SEE ALSO         top

       selinux_restorecon_set_sehandle(3),
       selinux_restorecon_default_handle(3),
       selinux_restorecon_set_exclude_list(3),
       selinux_restorecon_set_alt_rootpath(3),
       selinux_restorecon_xattr(3),
       selinux_set_callback(3)

COLOPHON         top

       This page is part of the selinux (Security-Enhanced Linux user-space
       libraries and tools) project.  Information about the project can be
       found at ⟨https://github.com/SELinuxProject/selinux/wiki⟩.  If you
       have a bug report for this manual page, see 
       ⟨https://github.com/SELinuxProject/selinux/wiki/Contributing⟩.  This
       page was obtained from the project's upstream Git repository 
       ⟨https://github.com/SELinuxProject/selinux⟩ on 2017-03-13.  If you
       discover any rendering problems in this HTML version of the page, or
       you believe there is a better or more up-to-date source for the page,
       or you have corrections or improvements to the information in this
       COLOPHON (which is not part of the original manual page), send a mail
       to man-pages@man7.org

Security Enhanced Linux          20 Oct 2015           selinux_restorecon(3)