selinux_restorecon_xattr(3) — Linux manual page


selinux_...on_xattr(3)  SELinux API documentation selinux_...on_xattr(3)

NAME         top

       selinux_restorecon_xattr - manage default security.sehash
       extended attribute entries added by selinux_restorecon(3),
       setfiles(8) or restorecon(8).

SYNOPSIS         top

       #include <selinux/restorecon.h>

       int selinux_restorecon_xattr(const char *pathname,
                              unsigned int xattr_flags,
                              struct dir_xattr ***xattr_list);

DESCRIPTION         top

       selinux_restorecon_xattr() returns a linked list of dir_xattr
       structures containing information described below based on:

              pathname containing a directory tree to be searched for
              security.sehash extended attribute entries.

              xattr_flags contains options as follows:

                     SELINUX_RESTORECON_XATTR_RECURSE recursively
                     descend directories.

                     delete non-matching digests from each directory in

                     all digests from each directory in pathname.

                     SELINUX_RESTORECON_XATTR_IGNORE_MOUNTS do not read
                     /proc/mounts to obtain a list of non-seclabel
                     mounts to be excluded from the search.
                     Setting SELINUX_RESTORECON_XATTR_IGNORE_MOUNTS is
                     useful where there is a non-seclabel fs mounted
                     with a seclabel fs mounted on a directory below

              xattr_list is the returned pointer to a linked list of
              dir_xattr structures, each containing the following

                     struct dir_xattr {
                         char *directory;
                         char *digest;    /* Printable hex encoded string */
                         enum digest_result result;
                         struct dir_xattr *next;

              The result entry is enumerated as follows:
                     enum digest_result {
                         MATCH = 0,

              xattr_list must be set to NULL before calling
              selinux_restorecon_xattr(3).  The caller is responsible
              for freeing the returned xattr_list entries in the linked

       See the NOTES section for more information.

RETURN VALUE         top

       On success, zero is returned.  On error, -1 is returned and errno
       is set appropriately.

NOTES         top

       1.  By default selinux_restorecon_xattr(3) will use the default
           set of specfiles described in files_contexts(5) to calculate
           the SHA1 digests to be used for comparison.  To change this
           default behavior selabel_open(3) must be called specifying
           the required SELABEL_OPT_PATH and setting the
           SELABEL_OPT_DIGEST option to a non-NULL value.
           selinux_restorecon_set_sehandle(3) is then called to set the
           handle to be used by selinux_restorecon_xattr(3).

       2.  By default selinux_restorecon_xattr(3) reads /proc/mounts to
           obtain a list of non-seclabel mounts to be excluded from
           searches unless the SELINUX_RESTORECON_XATTR_IGNORE_MOUNTS
           flag has been set.

       3.  RAMFS and TMPFS filesystems do not support the
           security.sehash extended attribute and are automatically
           excluded from searches.

       4.  By default stderr is used to log output messages and errors.
           This may be changed by calling selinux_set_callback(3) with
           the SELINUX_CB_LOG type option.

SEE ALSO         top


COLOPHON         top

       This page is part of the selinux (Security-Enhanced Linux user-
       space libraries and tools) project.  Information about the
       project can be found at 
       ⟨⟩.  If you have a
       bug report for this manual page, see
       This page was obtained from the project's upstream Git repository
       ⟨⟩ on 2023-12-22.  (At
       that time, the date of the most recent commit that was found in
       the repository was 2023-05-11.)  If you discover any rendering
       problems in this HTML version of the page, or you believe there
       is a better or more up-to-date source for the page, or you have
       corrections or improvements to the information in this COLOPHON
       (which is not part of the original manual page), send a mail to

                              30 July 2016        selinux_...on_xattr(3)

Pages that refer to this page: selinux_restorecon(3)selinux_restorecon_default_handle(3)selinux_restorecon_set_alt_rootpath(3)selinux_restorecon_set_exclude_list(3)selinux_restorecon_set_sehandle(3)selinux_restorecon_xattr(3)