NAME
selinux_restorecon_xattr - manage default security.sehash extended attribute entries added by selinux_restorecon(3), setfiles(8) or restorecon(8).SYNOPSIS
#include <selinux/restorecon.h>DESCRIPTION
selinux_restorecon_xattr() returns a linked list of dir_xattr structures containing information described below based on:
pathname containing a directory tree to
be searched for security.sehash extended attribute entries.
xattr_flags contains options as follows:
SELINUX_RESTORECON_XATTR_RECURSE recursively descend directories.
SELINUX_RESTORECON_XATTR_DELETE_NONMATCH_DIGESTS delete non-matching
digests from each directory in pathname.
SELINUX_RESTORECON_XATTR_DELETE_ALL_DIGESTS delete all digests from each
directory in pathname.
SELINUX_RESTORECON_XATTR_IGNORE_MOUNTS do not read /proc/mounts to
obtain a list of non-seclabel mounts to be excluded from the search.
Setting SELINUX_RESTORECON_XATTR_IGNORE_MOUNTS is useful where there is a
non-seclabel fs mounted with a seclabel fs mounted on a directory below
this.
xattr_list is the returned pointer to a linked list of dir_xattr
structures, each containing the following information:
The result entry is enumerated as follows:
xattr_list must be set to NULL before calling
. The caller is responsible for freeing the
returned xattr_list entries in the linked list.
struct dir_xattr { char *directory; char *digest; /* Printable hex encoded string */ enum digest_result result; struct dir_xattr *next; };
enum digest_result { MATCH = 0, NOMATCH, DELETED_MATCH, DELETED_NOMATCH, ERROR };
RETURN VALUE
On success, zero is returned. On error, -1 is returned and errno is set appropriately.NOTES
- 1.
- By default will use the default set of specfiles described in files_contexts(5) to calculate the SHA1 digests to be used for comparison. To change this default behavior selabel_open(3) must be called specifying the required SELABEL_OPT_PATH and setting the SELABEL_OPT_DIGEST option to a non-NULL value. selinux_restorecon_set_sehandle(3) is then called to set the handle to be used by .
- 2.
- By default reads /proc/mounts to obtain a list of non-seclabel mounts to be excluded from searches unless the SELINUX_RESTORECON_XATTR_IGNORE_MOUNTS flag has been set.
- 3.
- RAMFS and TMPFS filesystems do not support the security.sehash extended attribute and are automatically excluded from searches.
- 4.
- By default stderr is used to log output messages and errors. This may be changed by calling selinux_set_callback(3) with the SELINUX_CB_LOG type option.
SEE ALSO
selinux_restorecon(3)30 July 2016 |