"selinux_restorecon_xattr" "3" "30 July 2016" "" "SELinux API documentation"
"NAME"
selinux_restorecon_xattr - manage default
security.restorecon_last extended attribute entries added by
selinux_restorecon (3), setfiles (8) or
restorecon (8).
"SYNOPSIS"
#include <selinux/restorecon.h> "int selinux_restorecon_xattr(const char *" pathname ,
"unsigned int " xattr_flags ,
"struct dir_xattr ***" xattr_list ");" .
"DESCRIPTION"
selinux_restorecon_xattr () returns a linked list of
dir_xattr structures containing information described below based on:
pathname containing a directory tree to be searched for
security.restorecon_last extended attribute entries.
xattr_flags contains options as follows:
SELINUX_RESTORECON_XATTR_RECURSE recursively descend directories.
SELINUX_RESTORECON_XATTR_DELETE_NONMATCH_DIGESTS delete non-matching digests from each directory in
pathname . SELINUX_RESTORECON_XATTR_DELETE_ALL_DIGESTS delete all digests from each directory in
pathname . SELINUX_RESTORECON_XATTR_IGNORE_MOUNTS do not read
/proc/mounts to obtain a list of non-seclabel mounts to be excluded from the search.
Setting
SELINUX_RESTORECON_XATTR_IGNORE_MOUNTS is useful where there is a non-seclabel fs mounted with a seclabel fs mounted
on a directory below this.
is the returned pointer to a linked list of
dir_xattr structures, each containing the following information:
struct dir_xattr {
char *directory;
char *digest; /* Printable hex encoded string */
enum digest_result result;
struct dir_xattr *next;
};
The
result entry is enumerated as follows:
enum digest_result {
MATCH = 0,
NOMATCH,
DELETED_MATCH,
DELETED_NOMATCH,
ERROR
};
must be set to
NULL before calling
selinux_restorecon_xattr (3). The caller is responsible for freeing the returned
xattr_list entries in the linked list.
See the
NOTES section for more information.
"RETURN VALUE"
On success, zero is returned. On error, -1 is returned and
errno is set appropriately.
"NOTES"
"1." 4
By default
selinux_restorecon_xattr (3) will use the default set of specfiles described in
files_contexts (5) to calculate the initial SHA1 digest to be used for comparison.
To change this default behavior
selabel_open (3) must be called specifying the required
SELABEL_OPT_PATH and setting the
SELABEL_OPT_DIGEST option to a non-NULL value.
selinux_restorecon_set_sehandle (3) is then called to set the handle to be used by
selinux_restorecon_xattr (3). "2." 4
By default
selinux_restorecon_xattr (3) reads
/proc/mounts to obtain a list of non-seclabel mounts to be excluded from searches unless the
SELINUX_RESTORECON_XATTR_IGNORE_MOUNTS flag has been set.
"3." 4
RAMFS and
TMPFS filesystems do not support the
security.restorecon_last extended attribute and are automatically excluded from searches.
"4." 4
By default
stderr is used to log output messages and errors. This may be changed by calling
selinux_set_callback (3) with the
SELINUX_CB_LOG type option.
"SEE ALSO"
selinux_restorecon (3)
selinux_restorecon_set_sehandle (3),
selinux_restorecon_default_handle (3),
selinux_restorecon_set_exclude_list (3),
selinux_restorecon_set_alt_rootpath (3),
selinux_set_callback (3)