DOKK / manpages / debian 10 / libselinux1-dev / selinux_restorecon_xattr.3.en
selinux_restorecon_xattr(3) SELinux API documentation selinux_restorecon_xattr(3)

selinux_restorecon_xattr - manage default security.restorecon_last extended attribute entries added by selinux_restorecon(3), setfiles(8) or restorecon(8).

#include <selinux/restorecon.h>

int selinux_restorecon_xattr(const char *pathname,

unsigned int xattr_flags,
struct dir_xattr ***xattr_list);

selinux_restorecon_xattr() returns a linked list of dir_xattr structures containing information described below based on:

pathname containing a directory tree to be searched for security.restorecon_last extended attribute entries.

xattr_flags contains options as follows:

SELINUX_RESTORECON_XATTR_RECURSE recursively descend directories.

SELINUX_RESTORECON_XATTR_DELETE_NONMATCH_DIGESTS delete non-matching digests from each directory in pathname.

SELINUX_RESTORECON_XATTR_DELETE_ALL_DIGESTS delete all digests from each directory in pathname.

SELINUX_RESTORECON_XATTR_IGNORE_MOUNTS do not read /proc/mounts to obtain a list of non-seclabel mounts to be excluded from the search.
Setting SELINUX_RESTORECON_XATTR_IGNORE_MOUNTS is useful where there is a non-seclabel fs mounted with a seclabel fs mounted on a directory below this.

xattr_list is the returned pointer to a linked list of dir_xattr structures, each containing the following information:

struct dir_xattr {
	char *directory;
	char *digest;    /* Printable hex encoded string */
	enum digest_result result;
	struct dir_xattr *next;
};

The result entry is enumerated as follows:

enum digest_result {
	MATCH = 0,
	NOMATCH,
	DELETED_MATCH,
	DELETED_NOMATCH,
	ERROR
};

xattr_list must be set to NULL before calling selinux_restorecon_xattr(3). The caller is responsible for freeing the returned xattr_list entries in the linked list.

See the NOTES section for more information.

On success, zero is returned. On error, -1 is returned and errno is set appropriately.

1.
By default selinux_restorecon_xattr(3) will use the default set of specfiles described in files_contexts(5) to calculate the initial SHA1 digest to be used for comparision. To change this default behavior selabel_open(3) must be called specifying the required SELABEL_OPT_PATH and setting the SELABEL_OPT_DIGEST option to a non-NULL value. selinux_restorecon_set_sehandle(3) is then called to set the handle to be used by selinux_restorecon_xattr(3).
2.
By default selinux_restorecon_xattr(3) reads /proc/mounts to obtain a list of non-seclabel mounts to be excluded from searches unless the SELINUX_RESTORECON_XATTR_IGNORE_MOUNTS flag has been set.
3.
RAMFS and TMPFS filesystems do not support the security.restorecon_last extended attribute and are automatically excluded from searches.
4.
By default stderr is used to log output messages and errors. This may be changed by calling selinux_set_callback(3) with the SELINUX_CB_LOG type option.

selinux_restorecon(3)
selinux_restorecon_set_sehandle(3),
selinux_restorecon_default_handle(3),
selinux_restorecon_set_exclude_list(3),
selinux_restorecon_set_alt_rootpath(3),
selinux_set_callback(3)

30 July 2016