1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
|
.TH "selinux_restorecon" "3" "20 Oct 2015" "Security Enhanced Linux" "SELinux API documentation"
.SH "NAME"
selinux_restorecon \- restore file(s) default SELinux security contexts
.
.SH "SYNOPSIS"
.B #include <selinux/restorecon.h>
.sp
.BI "int selinux_restorecon(const char *" pathname ,
.in +\w'int selinux_restorecon('u
.br
.BI "unsigned int " restorecon_flags ");"
.in
.
.SH "DESCRIPTION"
.BR selinux_restorecon ()
restores file default security contexts on filesystems that support extended
attributes (see
.BR xattr (7)),
based on:
.sp
.RS
.IR pathname
containing a directory or file to be relabeled.
.br
If this is a directory and the
.IR restorecon_flags
.B SELINUX_RESTORECON_RECURSE
has been set (for descending through directories), then
.BR selinux_restorecon ()
will write an SHA1 digest of the combined specfiles (see the
.B NOTES
section for details) to an extended attribute of
.IR security.restorecon_last
once the relabeling has been completed successfully. This digest will be
checked should
.BR selinux_restorecon ()
be rerun
with the
.IR restorecon_flags
.B SELINUX_RESTORECON_RECURSE
flag set. If any of the specfiles had been updated, the digest
will also be updated. However if the digest is the same, no relabeling checks
will take place (unless the
.B SELINUX_RESTORECON_IGNORE_DIGEST
flag is set).
.sp
.IR restorecon_flags
contains the labeling option/rules as follows:
.sp
.RS
.sp
.B SELINUX_RESTORECON_IGNORE_DIGEST
force the checking of labels even if the stored SHA1 digest matches the
specfiles SHA1 digest. The specfiles digest will be written to the
.IR security.restorecon_last
extended attribute once relabeling has been completed successfully provided the
.B SELINUX_RESTORECON_NOCHANGE
flag has not been set.
.sp
.B SELINUX_RESTORECON_NOCHANGE
don't change any file labels (passive check) or update the digest in the
.IR security.restorecon_last
extended attribute.
.sp
.B SELINUX_RESTORECON_SET_SPECFILE_CTX
If set, reset the files label to match the default specfile context.
If not set only reset the files "type" component of the context to match the
default specfile context.
.sp
.B SELINUX_RESTORECON_RECURSE
change file and directory labels recursively (descend directories)
and if successful write an SHA1 digest of the combined specfiles to an
extended attribute as described in the
.B NOTES
section.
.sp
.B SELINUX_RESTORECON_VERBOSE
log file label changes.
.RS
Note that if
.B SELINUX_RESTORECON_VERBOSE
and
.B SELINUX_RESTORECON_PROGRESS
flags are set, then
.B SELINUX_RESTORECON_PROGRESS
will take precedence.
.RE
.sp
.B SELINUX_RESTORECON_PROGRESS
show progress by outputting the number of files in 1k blocks processed
to stdout. If the
.B SELINUX_RESTORECON_MASS_RELABEL
flag is also set then the approximate percentage complete will be shown.
.sp
.B SELINUX_RESTORECON_MASS_RELABEL
generally set when relabeling the entire OS, that will then show the
approximate percentage complete. The
.B SELINUX_RESTORECON_PROGRESS
flag must also be set.
.sp
.B SELINUX_RESTORECON_REALPATH
convert passed-in
.I pathname
to the canonical pathname using
.BR realpath (3).
.sp
.B SELINUX_RESTORECON_XDEV
prevent descending into directories that have a different device number than
the
.I pathname
entry from which the descent began.
.sp
.B SELINUX_RESTORECON_ADD_ASSOC
attempt to add an association between an inode and a specification. If there
is already an association for the inode and it conflicts with the
specification, then use the last matching specification.
.sp
.B SELINUX_RESTORECON_ABORT_ON_ERROR
abort on errors during the file tree walk.
.sp
.B SELINUX_RESTORECON_SYSLOG_CHANGES
log any label changes to
.BR syslog (3).
.sp
.B SELINUX_RESTORECON_LOG_MATCHES
log what specfile context matched each file.
.sp
.B SELINUX_RESTORECON_IGNORE_NOENTRY
ignore files that do not exist.
.sp
.B SELINUX_RESTORECON_IGNORE_MOUNTS
do not read
.B /proc/mounts
to obtain a list of non-seclabel mounts to be excluded from relabeling checks.
.br
Setting
.B SELINUX_RESTORECON_IGNORE_MOUNTS
is useful where there is a non-seclabel fs mounted with a seclabel fs mounted
on a directory below this.
.RE
.sp
The behavior regarding the checking and updating of the SHA1 digest described
above is the default behavior. It is possible to change this by first calling
.BR selabel_open (3)
and not enabling the
.B SELABEL_OPT_DIGEST
option, then calling
.BR selinux_restorecon_set_sehandle (3)
to set the handle to be used by
.BR selinux_restorecon (3).
.sp
If the
.I pathname
is a directory path, then it is possible to set directories to be excluded
from the path by calling
.BR selinux_restorecon_set_exclude_list (3)
with a
.B NULL
terminated list before calling
.BR selinux_restorecon (3).
.sp
By default
.BR selinux_restorecon (3)
reads
.B /proc/mounts
to obtain a list of non-seclabel mounts to be excluded from relabeling checks
unless the
.B SELINUX_RESTORECON_IGNORE_MOUNTS
flag has been set.
.RE
.
.SH "RETURN VALUE"
On success, zero is returned. On error, \-1 is returned and
.I errno
is set appropriately.
.
.SH "NOTES"
.IP "1." 4
To improve performance when relabeling file systems recursively (e.g. the
.IR restorecon_flags
.B SELINUX_RESTORECON_RECURSE
flag is set)
.BR selinux_restorecon ()
will write an SHA1 digest of the specfiles that are processed by
.BR selabel_open (3)
to an extended attribute named
.IR security.restorecon_last
to the directory specified in the
.IR pathname .
.IP "2." 4
To check the extended attribute entry use
.BR getfattr (1) ,
for example:
.sp
.RS
.RS
getfattr -e hex -n security.restorecon_last /
.RE
.RE
.IP "3." 4
The SHA1 digest is calculated by
.BR selabel_open (3)
concatenating the specfiles it reads during initialisation with the
resulting digest and list of specfiles being retrieved by
.BR selabel_digest (3).
.IP "4." 4
The specfiles consist of the mandatory
.I file_contexts
file plus any subs, subs_dist, local and homedir entries (text or binary versions)
as determined by any
.BR selabel_open (3)
options e.g.
.BR SELABEL_OPT_BASEONLY .
.sp
Should any of the specfiles have changed, then when
.BR selinux_restorecon ()
is run again with the
.B SELINUX_RESTORECON_RECURSE
flag set, a new SHA1 digest will be calculated and all files will be automatically
relabeled depending on the settings of the
.B SELINUX_RESTORECON_SET_SPECFILE_CTX
flag (provided
.B SELINUX_RESTORECON_NOCHANGE
is not set).
.IP "5." 4
.B /sys
and in-memory filesystems do not support the
.IR security.restorecon_last
extended attribute and are automatically excluded from any relabeling checks.
.IP "6." 4
By default
.B stderr
is used to log output messages and errors. This may be changed by calling
.BR selinux_set_callback (3)
with the
.B SELINUX_CB_LOG
.I type
option.
.
.SH "SEE ALSO"
.BR selinux_restorecon_set_sehandle (3),
.br
.BR selinux_restorecon_default_handle (3),
.br
.BR selinux_restorecon_set_exclude_list (3),
.br
.BR selinux_restorecon_set_alt_rootpath (3),
.br
.BR selinux_restorecon_xattr (3),
.br
.BR selinux_set_callback (3)
|
