selinux_restorecon(category14-security-amp-firewalls.html) - phpMan

selinux_restorecon(3)      SELinux API documentation     selinux_restorecon(3)
NAME
       selinux_restorecon - restore file(s) default SELinux security contexts
SYNOPSIS
       #include <selinux/restorecon.h>
       int selinux_restorecon(const char *pathname,
                              unsigned int restorecon_flags);
DESCRIPTION
       selinux_restorecon()   restores   file  default  security  contexts  on
       filesystems that support extended attributes (see xattr(7)), based on:
              pathname containing a directory or file to be relabeled.
              If this is a directory and the restorecon_flags SELINUX_RESTORE-
              CON_RECURSE  has  been set (for descending through directories),
              then selinux_restorecon() will write an SHA1 digest of the  com-
              bined  specfiles  (see  the  NOTES  section  for  details) to an
              extended attribute of security.restorecon_last once the relabel-
              ing has been completed successfully. This digest will be checked
              should selinux_restorecon() be rerun with  the  restorecon_flags
              SELINUX_RESTORECON_RECURSE flag set. If any of the specfiles had
              been updated, the digest will also be updated.  However  if  the
              digest is the same, no relabeling checks will take place (unless
              the SELINUX_RESTORECON_IGNORE_DIGEST flag is set).
              restorecon_flags contains the labeling option/rules as follows:
                     SELINUX_RESTORECON_IGNORE_DIGEST force  the  checking  of
                     labels  even  if the stored SHA1 digest matches the spec-
                     files SHA1 digest. The specfiles digest will  be  written
                     to  the  security.restorecon_last extended attribute once
                     relabeling has been completed successfully  provided  the
                     SELINUX_RESTORECON_NOCHANGE flag has not been set.
                     SELINUX_RESTORECON_NOCHANGE  don't change any file labels
                     (passive  check)  or  update  the  digest  in  the  secu-
                     rity.restorecon_last extended attribute.
                     SELINUX_RESTORECON_SET_SPECFILE_CTX  If  set,  reset  the
                     files label to match the default  specfile  context.   If
                     not set only reset the files "type" component of the con-
                     text to match the default specfile context.
                     SELINUX_RESTORECON_RECURSE  change  file  and   directory
                     labels  recursively (descend directories) and if success-
                     ful write an SHA1 digest of the combined specfiles to  an
                     extended attribute as described in the NOTES section.
                     SELINUX_RESTORECON_VERBOSE log file label changes.
                            Note   that   if   SELINUX_RESTORECON_VERBOSE  and
                            SELINUX_RESTORECON_PROGRESS flags  are  set,  then
                            SELINUX_RESTORECON_PROGRESS will take precedence.
                     SELINUX_RESTORECON_PROGRESS  show  progress by outputting
                     the number of files in 1k blocks processed to stdout.  If
                     the SELINUX_RESTORECON_MASS_RELABEL flag is also set then
                     the approximate percentage complete will be shown.
                     SELINUX_RESTORECON_MASS_RELABEL generally set when  rela-
                     beling the entire OS, that will then show the approximate
                     percentage complete. The SELINUX_RESTORECON_PROGRESS flag
                     must also be set.
                     SELINUX_RESTORECON_REALPATH convert passed-in pathname to
                     the canonical pathname using realpath(3).
                     SELINUX_RESTORECON_XDEV prevent descending into  directo-
                     ries  that  have a different device number than the path-
                     name entry from which the descent began.
                     SELINUX_RESTORECON_ADD_ASSOC attempt to add  an  associa-
                     tion  between  an  inode and a specification. If there is
                     already an association for the  inode  and  it  conflicts
                     with the specification, then use the last matching speci-
                     fication.
                     SELINUX_RESTORECON_ABORT_ON_ERROR abort on errors  during
                     the file tree walk.
                     SELINUX_RESTORECON_SYSLOG_CHANGES  log  any label changes
                     to syslog(3).
                     SELINUX_RESTORECON_LOG_MATCHES log what specfile  context
                     matched each file.
                     SELINUX_RESTORECON_IGNORE_NOENTRY  ignore  files  that do
                     not exist.
                     SELINUX_RESTORECON_IGNORE_MOUNTS do not read /proc/mounts
                     to  obtain  a  list of non-seclabel mounts to be excluded
                     from relabeling checks.
                     Setting SELINUX_RESTORECON_IGNORE_MOUNTS is useful  where
                     there  is  a  non-seclabel  fs mounted with a seclabel fs
                     mounted on a directory below this.
              The behavior regarding the checking and  updating  of  the  SHA1
              digest  described  above is the default behavior. It is possible
              to change this by first calling selabel_open(3) and not enabling
              the  SELABEL_OPT_DIGEST  option,  then  calling selinux_restore-
              con_set_sehandle(3)  to  set  the   handle   to   be   used   by
              selinux_restorecon(3).
              If  the pathname is a directory path, then it is possible to set
              directories  to  be  excluded   from   the   path   by   calling
              selinux_restorecon_set_exclude_list(3)  with  a  NULL terminated
              list before calling selinux_restorecon(3).
              By default selinux_restorecon(3) reads /proc/mounts to obtain  a
              list  of  non-seclabel  mounts  to  be  excluded from relabeling
              checks unless the SELINUX_RESTORECON_IGNORE_MOUNTS flag has been
              set.
RETURN VALUE
       On  success,  zero  is returned.  On error, -1 is returned and errno is
       set appropriately.
NOTES
       1.  To improve performance when  relabeling  file  systems  recursively
           (e.g.  the restorecon_flags SELINUX_RESTORECON_RECURSE flag is set)
           selinux_restorecon() will write an SHA1  digest  of  the  specfiles
           that  are  processed  by  selabel_open(3)  to an extended attribute
           named security.restorecon_last to the directory  specified  in  the
           pathname.
       2.  To check the extended attribute entry use getfattr(1), for example:
                  getfattr -e hex -n security.restorecon_last /
       3.  The  SHA1 digest is calculated by selabel_open(3) concatenating the
           specfiles it reads during initialisation with the resulting  digest
           and list of specfiles being retrieved by selabel_digest(3).
       4.  The  specfiles consist of the mandatory file_contexts file plus any
           subs, subs_dist, local and homedir entries  (text  or  binary  ver-
           sions)  as  determined  by  any selabel_open(3) options e.g.  SELA-
           BEL_OPT_BASEONLY.
           Should   any   of   the   specfiles   have   changed,   then   when
           selinux_restorecon()   is   run  again  with  the  SELINUX_RESTORE-
           CON_RECURSE flag set, a new SHA1 digest will be calculated and  all
           files  will be automatically relabeled depending on the settings of
           the     SELINUX_RESTORECON_SET_SPECFILE_CTX     flag      (provided
           SELINUX_RESTORECON_NOCHANGE is not set).
       5.  /sys and in-memory filesystems do not support the security.restore-
           con_last extended attribute and are automatically excluded from any
           relabeling checks.
       6.  By  default  stderr is used to log output messages and errors. This
           may  be  changed  by  calling  selinux_set_callback(3)   with   the
           SELINUX_CB_LOG type option.
SEE ALSO
       selinux_restorecon_set_sehandle(3),
       selinux_restorecon_default_handle(3),
       selinux_restorecon_set_exclude_list(3),
       selinux_restorecon_set_alt_rootpath(3),
       selinux_restorecon_xattr(3),
       selinux_set_callback(3)
Security Enhanced Linux           20 Oct 2015            selinux_restorecon(3)