suzanne.soy/man-pages
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
gh-pages
man-pages/man3/selinux_restorecon.3.html
Suzanne Soy 4c89183f2b Added man pages from my system
2021-03-31 01:06:50 +01:00

396 lines
9.5 KiB
HTML
Raw Permalink Blame History

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML><HEAD><TITLE>Man page of selinux_restorecon</TITLE>
</HEAD><BODY>
<H1>selinux_restorecon</H1>
Section: SELinux API documentation (3)<BR>Updated: 20 Oct 2015<BR><A HREF="#index">Index</A>
<A HREF="/cgi-bin/man/man2html">Return to Main Contents</A><HR>
<P>
<A NAME="lbAB">&nbsp;</A>
<H2>NAME</H2>
selinux_restorecon - restore file(s) default SELinux security contexts
<A NAME="lbAC">&nbsp;</A>
<H2>SYNOPSIS</H2>
<B>#include &lt;<A HREF="file:///usr/include/selinux/restorecon.h">selinux/restorecon.h</A>&gt;</B>
<P>
<B>int selinux_restorecon(const char *</B><I>pathname</I><B>,</B>
<BR>
<B>unsigned int </B><I>restorecon_flags</I><B>);</B>
<A NAME="lbAD">&nbsp;</A>
<H2>DESCRIPTION</H2>
<B>selinux_restorecon</B>()
restores file default security contexts on filesystems that support extended
attributes (see
<B><A HREF="/cgi-bin/man/man2html?7+xattr">xattr</A></B>(7)),
based on:
<P>
<DL COMPACT><DT id="1"><DD>
<I>pathname</I>
containing a directory or file to be relabeled.
<BR>
If this is a directory and the
<I>restorecon_flags</I>
<B>SELINUX_RESTORECON_RECURSE</B>
has been set (for descending through directories), then
<B>selinux_restorecon</B>()
will write an SHA1 digest of specfile entries calculated by
<B><A HREF="/cgi-bin/man/man2html?3+selabel_get_digests_all_partial_matches">selabel_get_digests_all_partial_matches</A></B>(3)
to an extended attribute of
<I>security.sehash</I>
once the relabeling has been completed successfully (see the
<B>NOTES</B>
section for details).
<BR>
These digests will be checked should
<B>selinux_restorecon</B>()
be rerun with the
<I>restorecon_flags</I>
<B>SELINUX_RESTORECON_RECURSE</B>
flag set. If any of the specfile entries had been updated, the digest
will also be updated. However if the digest is the same, no relabeling checks
will take place.
<BR>
The
<I>restorecon_flags</I>
that can be used to manage the usage of the SHA1 digest are:
<DL COMPACT><DT id="2"><DD>
<B>SELINUX_RESTORECON_SKIP_DIGEST</B>
<BR>
<B>SELINUX_RESTORECON_IGNORE_DIGEST</B>
</DL>
<P>
<I>restorecon_flags</I>
contains the labeling option/rules as follows:
<P>
<DL COMPACT><DT id="3"><DD>
<P>
<B>SELINUX_RESTORECON_SKIP_DIGEST</B>
Do not check or update any extended attribute
<I>security.sehash</I>
entries.
<P>
<B>SELINUX_RESTORECON_IGNORE_DIGEST</B>
force the checking of labels even if the stored SHA1 digest matches the
specfile entries SHA1 digest. The specfile entries digest will be written to the
<I>security.sehash</I>
extended attribute once relabeling has been completed successfully provided the
<B>SELINUX_RESTORECON_NOCHANGE</B>
flag has not been set.
<P>
<B>SELINUX_RESTORECON_NOCHANGE</B>
don't change any file labels (passive check) or update the digest in the
<I>security.sehash</I>
extended attribute.
<P>
<B>SELINUX_RESTORECON_SET_SPECFILE_CTX</B>
If set, reset the files label to match the default specfile context.
If not set only reset the files &quot;type&quot; component of the context to match the
default specfile context.
<P>
<B>SELINUX_RESTORECON_RECURSE</B>
change file and directory labels recursively (descend directories)
and if successful write an SHA1 digest of the specfile entries to an
extended attribute as described in the
<B>NOTES</B>
section.
<P>
<B>SELINUX_RESTORECON_VERBOSE</B>
log file label changes.
<DL COMPACT><DT id="4"><DD>
Note that if
<B>SELINUX_RESTORECON_VERBOSE</B>
and
<B>SELINUX_RESTORECON_PROGRESS</B>
flags are set, then
<B>SELINUX_RESTORECON_PROGRESS</B>
will take precedence.
</DL>
<P>
<B>SELINUX_RESTORECON_PROGRESS</B>
show progress by outputting the number of files in 1k blocks processed
to stdout. If the
<B>SELINUX_RESTORECON_MASS_RELABEL</B>
flag is also set then the approximate percentage complete will be shown.
<P>
<B>SELINUX_RESTORECON_MASS_RELABEL</B>
generally set when relabeling the entire OS, that will then show the
approximate percentage complete. The
<B>SELINUX_RESTORECON_PROGRESS</B>
flag must also be set.
<P>
<B>SELINUX_RESTORECON_REALPATH</B>
convert passed-in
<I>pathname</I>
to the canonical pathname using
<B><A HREF="/cgi-bin/man/man2html?3+realpath">realpath</A></B>(3).
<P>
<B>SELINUX_RESTORECON_XDEV</B>
prevent descending into directories that have a different device number than
the
<I>pathname</I>
entry from which the descent began.
<P>
<B>SELINUX_RESTORECON_ADD_ASSOC</B>
attempt to add an association between an inode and a specification. If there
is already an association for the inode and it conflicts with the
specification, then use the last matching specification.
<P>
<B>SELINUX_RESTORECON_ABORT_ON_ERROR</B>
abort on errors during the file tree walk.
<P>
<B>SELINUX_RESTORECON_SYSLOG_CHANGES</B>
log any label changes to
<B><A HREF="/cgi-bin/man/man2html?3+syslog">syslog</A></B>(3).
<P>
<B>SELINUX_RESTORECON_LOG_MATCHES</B>
log what specfile context matched each file.
<P>
<B>SELINUX_RESTORECON_IGNORE_NOENTRY</B>
ignore files that do not exist.
<P>
<B>SELINUX_RESTORECON_IGNORE_MOUNTS</B>
do not read
<B>/proc/mounts</B>
to obtain a list of non-seclabel mounts to be excluded from relabeling checks.
<BR>
Setting
<B>SELINUX_RESTORECON_IGNORE_MOUNTS</B>
is useful where there is a non-seclabel fs mounted with a seclabel fs mounted
on a directory below this.
</DL>
<P>
The behavior regarding the checking and updating of the SHA1 digest described
above is the default behavior. It is possible to change this by first calling
<B><A HREF="/cgi-bin/man/man2html?3+selabel_open">selabel_open</A></B>(3)
and not enabling the
<B>SELABEL_OPT_DIGEST</B>
option, then calling
<B><A HREF="/cgi-bin/man/man2html?3+selinux_restorecon_set_sehandle">selinux_restorecon_set_sehandle</A></B>(3)
to set the handle to be used by
<B><A HREF="/cgi-bin/man/man2html?3+selinux_restorecon">selinux_restorecon</A></B>(3).
<P>
If the
<I>pathname</I>
is a directory path, then it is possible to set directories to be excluded
from the path by calling
<B><A HREF="/cgi-bin/man/man2html?3+selinux_restorecon_set_exclude_list">selinux_restorecon_set_exclude_list</A></B>(3)
with a
<B>NULL</B>
terminated list before calling
<B><A HREF="/cgi-bin/man/man2html?3+selinux_restorecon">selinux_restorecon</A></B>(3).
<P>
By default
<B><A HREF="/cgi-bin/man/man2html?3+selinux_restorecon">selinux_restorecon</A></B>(3)
reads
<B>/proc/mounts</B>
to obtain a list of non-seclabel mounts to be excluded from relabeling checks
unless the
<B>SELINUX_RESTORECON_IGNORE_MOUNTS</B>
flag has been set.
</DL>
<A NAME="lbAE">&nbsp;</A>
<H2>RETURN VALUE</H2>
On success, zero is returned. On error, -1 is returned and
<I>errno</I>
is set appropriately.
<A NAME="lbAF">&nbsp;</A>
<H2>NOTES</H2>
<DL COMPACT>
<DT id="5">1.<DD>
To improve performance when relabeling file systems recursively (e.g. the
<I>restorecon_flags</I>
<B>SELINUX_RESTORECON_RECURSE</B>
flag is set)
<B>selinux_restorecon</B>()
will write a calculated SHA1 digest of the specfile entries returned by
<B><A HREF="/cgi-bin/man/man2html?3+selabel_get_digests_all_partial_matches">selabel_get_digests_all_partial_matches</A></B>(3)
to an extended attribute named
<I>security.sehash</I>
for each directory in the
<I>pathname</I>
path.
<DT id="6">2.<DD>
To check the extended attribute entry use
<B><A HREF="/cgi-bin/man/man2html?1+getfattr">getfattr</A></B>(1)<B>,</B>
for example:
<P>
<DL COMPACT><DT id="7"><DD>
<DL COMPACT><DT id="8"><DD>
getfattr -e hex -n security.sehash /
</DL>
</DL>
<DT id="9">3.<DD>
Should any of the specfile entries have changed, then when
<B>selinux_restorecon</B>()
is run again with the
<B>SELINUX_RESTORECON_RECURSE</B>
flag set, new SHA1 digests will be calculated and all files automatically
relabeled depending on the settings of the
<B>SELINUX_RESTORECON_SET_SPECFILE_CTX</B>
flag (provided
<B>SELINUX_RESTORECON_NOCHANGE</B>
is not set).
<DT id="10">4.<DD>
<B>/sys</B>
and in-memory filesystems do not support the
<I>security.sehash</I>
extended attribute and are automatically excluded from any relabeling checks.
<DT id="11">5.<DD>
By default
<B>stderr</B>
is used to log output messages and errors. This may be changed by calling
<B><A HREF="/cgi-bin/man/man2html?3+selinux_set_callback">selinux_set_callback</A></B>(3)
with the
<B>SELINUX_CB_LOG</B>
<I>type</I>
option.
</DL>
<A NAME="lbAG">&nbsp;</A>
<H2>SEE ALSO</H2>
<B><A HREF="/cgi-bin/man/man2html?3+selabel_get_digests_all_partial_matches">selabel_get_digests_all_partial_matches</A></B>(3),
<BR>
<B><A HREF="/cgi-bin/man/man2html?3+selinux_restorecon_set_sehandle">selinux_restorecon_set_sehandle</A></B>(3),
<BR>
<B><A HREF="/cgi-bin/man/man2html?3+selinux_restorecon_default_handle">selinux_restorecon_default_handle</A></B>(3),
<BR>
<B><A HREF="/cgi-bin/man/man2html?3+selinux_restorecon_set_exclude_list">selinux_restorecon_set_exclude_list</A></B>(3),
<BR>
<B><A HREF="/cgi-bin/man/man2html?3+selinux_restorecon_set_alt_rootpath">selinux_restorecon_set_alt_rootpath</A></B>(3),
<BR>
<B><A HREF="/cgi-bin/man/man2html?3+selinux_restorecon_xattr">selinux_restorecon_xattr</A></B>(3),
<BR>
<B><A HREF="/cgi-bin/man/man2html?3+selinux_set_callback">selinux_set_callback</A></B>(3)
<P>
<HR>
<A NAME="index">&nbsp;</A><H2>Index</H2>
<DL>
<DT id="12"><A HREF="#lbAB">NAME</A><DD>
<DT id="13"><A HREF="#lbAC">SYNOPSIS</A><DD>
<DT id="14"><A HREF="#lbAD">DESCRIPTION</A><DD>
<DT id="15"><A HREF="#lbAE">RETURN VALUE</A><DD>
<DT id="16"><A HREF="#lbAF">NOTES</A><DD>
<DT id="17"><A HREF="#lbAG">SEE ALSO</A><DD>
</DL>
<HR>
This document was created by
<A HREF="/cgi-bin/man/man2html">man2html</A>,
using the manual pages.<BR>
Time: 00:05:56 GMT, March 31, 2021
</BODY>
</HTML>
Reference in New Issue View Git Blame Copy Permalink