HTML rendering created 2025-09-06 byMichael Kerrisk, author ofThe Linux Programming Interface. For details of in-depthLinux/UNIX system programming training courses that I teach, lookhere. Hosting byjambit GmbH. |  |
NAME |SYNOPSIS |DESCRIPTION |RETURN VALUE |NOTES |SEE ALSO |COLOPHON | |
selinux_restorecon(3) SELinux API documentationselinux_restorecon(3)selinux_restorecon - restore file(s) default SELinux security contexts
#include <selinux/restorecon.h>int selinux_restorecon(const char *pathname,unsigned intrestorecon_flags);int selinux_restorecon_parallel(const char *pathname,unsigned intrestorecon_flags,size_tnthreads);
selinux_restorecon() restores file default security contexts on filesystems that support extended attributes (seexattr(7)), based on:pathname containing a directory or file to be relabeled. If this is a directory and therestorecon_flagsSELINUX_RESTORECON_RECURSEhas been set (for descending through directories), thenselinux_restorecon() will write an SHA1 digest of specfile entries calculated byselabel_get_digests_all_partial_matches(3) to an extended attribute ofsecurity.sehash once the relabeling has been completed successfully (see theNOTESsection for details). These digests will be checked shouldselinux_restorecon() be rerun with therestorecon_flagsSELINUX_RESTORECON_RECURSEflag set. If any of the specfile entries had been updated, the digest will also be updated. However if the digest is the same, no relabeling checks will take place. Therestorecon_flags that can be used to manage the usage of the SHA1 digest are:SELINUX_RESTORECON_SKIP_DIGESTSELINUX_RESTORECON_IGNORE_DIGESTrestorecon_flags contains the labeling option/rules as follows:SELINUX_RESTORECON_SKIP_DIGESTDo not check or update any extended attributesecurity.sehash entries.SELINUX_RESTORECON_IGNORE_DIGESTforce the checking of labels even if the stored SHA1 digest matches the specfile entries SHA1 digest. The specfile entries digest will be written to thesecurity.sehash extended attribute once relabeling has been completed successfully provided theSELINUX_RESTORECON_NOCHANGEflag has not been set, and no errors have been skipped during the file tree walk due to theSELINUX_RESTORECON_COUNT_ERRORS flag.SELINUX_RESTORECON_NOCHANGEdon't change any file labels (passive check) or update the digest in thesecurity.sehash extended attribute.SELINUX_RESTORECON_SET_SPECFILE_CTXIf set, reset the files label to match the default specfile context. If not set only reset the files "type" component of the context to match the default specfile context.SELINUX_RESTORECON_RECURSEchange file and directory labels recursively (descend directories) and if successful write an SHA1 digest of the specfile entries to an extended attribute as described in theNOTESsection.SELINUX_RESTORECON_VERBOSElog file label changes. Note that ifSELINUX_RESTORECON_VERBOSEandSELINUX_RESTORECON_PROGRESSflags are set, thenSELINUX_RESTORECON_PROGRESSwill take precedence.SELINUX_RESTORECON_PROGRESSshow progress by outputting the number of files in 1k blocks processed to stdout. If theSELINUX_RESTORECON_MASS_RELABELflag is also set then the approximate percentage complete will be shown.SELINUX_RESTORECON_MASS_RELABELgenerally set when relabeling the entire OS, that will then show the approximate percentage complete. TheSELINUX_RESTORECON_PROGRESSflag must also be set.SELINUX_RESTORECON_REALPATHconvert passed-inpathname to the canonical pathname usingrealpath(3).SELINUX_RESTORECON_XDEVprevent descending into directories that have a different device number than thepathname entry from which the descent began.SELINUX_RESTORECON_ADD_ASSOCattempt to add an association between an inode and a specification. If there is already an association for the inode and it conflicts with the specification, then use the last matching specification.SELINUX_RESTORECON_ABORT_ON_ERRORabort on errors during the file tree walk.SELINUX_RESTORECON_SYSLOG_CHANGESlog any label changes tosyslog(3).SELINUX_RESTORECON_LOG_MATCHESlog what specfile context matched each file.SELINUX_RESTORECON_IGNORE_NOENTRYignore files that do not exist.SELINUX_RESTORECON_IGNORE_MOUNTSdo not read/proc/mountsto obtain a list of non-seclabel mounts to be excluded from relabeling checks. SettingSELINUX_RESTORECON_IGNORE_MOUNTSis useful where there is a non-seclabel fs mounted with a seclabel fs mounted on a directory below this.SELINUX_RESTORECON_CONFLICT_ERRORto treat conflicting specifications, such as where two hardlinks for the same inode have different contexts, as errors.SELINUX_RESTORECON_COUNT_ERRORSCount, but otherwise ignore, errors during the file tree walk. Only makes a difference if theSELINUX_RESTORECON_ABORT_ON_ERRORflag is clear. Callselinux_restorecon_get_skipped_errors(3) for fetching the ignored (skipped) error count afterselinux_restorecon(3) orselinux_restorecon_parallel(3) completes with success. In case any errors were skipped during the file tree walk, the specfile entries SHA1 digest will not have been written to thesecurity.sehash extended attribute. The behavior regarding the checking and updating of the SHA1 digest described above is the default behavior. It is possible to change this by first callingselabel_open(3) and not enabling theSELABEL_OPT_DIGESToption, then callingselinux_restorecon_set_sehandle(3) to set the handle to be used byselinux_restorecon(3). If thepathname is a directory path, then it is possible to set directories to be excluded from the path by callingselinux_restorecon_set_exclude_list(3) with aNULL terminated list before callingselinux_restorecon(3). By defaultselinux_restorecon(3) reads/proc/mountsto obtain a list of non-seclabel mounts to be excluded from relabeling checks unless theSELINUX_RESTORECON_IGNORE_MOUNTSflag has been set.selinux_restorecon_parallel()is similar toselinux_restorecon(3), but accepts another parameter that allows to run relabeling over multiple threads:nthreads specifies the number of threads to use during relabeling. When set to 1, the behavior is the same as callingselinux_restorecon(3). When set to 0, the function will try to use as many threads as there are online CPU cores. When set to any other number, the function will try to use the given number of threads. Note that to use the parallel relabeling capability, the calling process must be linked with thelibpthreadlibrary (either at compile time or dynamically at run time). Otherwise the function will print a warning and fall back to the single threaded mode.
On success, zero is returned. On error, -1 is returned anderrno is set appropriately.
1. To improve performance when relabeling file systems recursively (e.g. therestorecon_flagsSELINUX_RESTORECON_RECURSEflag is set)selinux_restorecon() will write a calculated SHA1 digest of the specfile entries returned byselabel_get_digests_all_partial_matches(3) to an extended attribute namedsecurity.sehash for each directory in thepathname path. 2. To check the extended attribute entry usegetfattr(1), for example: getfattr -e hex -n security.sehash / 3. Should any of the specfile entries have changed, then whenselinux_restorecon() is run again with theSELINUX_RESTORECON_RECURSEflag set, new SHA1 digests will be calculated and all files automatically relabeled depending on the settings of theSELINUX_RESTORECON_SET_SPECFILE_CTXflag (providedSELINUX_RESTORECON_NOCHANGEis not set). 4./sysand in-memory filesystems do not support thesecurity.sehash extended attribute and are automatically excluded from any relabeling checks. 5. By defaultstderris used to log output messages and errors. This may be changed by callingselinux_set_callback(3) with theSELINUX_CB_LOGtype option.
selabel_get_digests_all_partial_matches(3),selinux_restorecon_set_sehandle(3),selinux_restorecon_default_handle(3),selinux_restorecon_get_skipped_errors(3),selinux_restorecon_set_exclude_list(3),selinux_restorecon_set_alt_rootpath(3),selinux_restorecon_xattr(3),selinux_set_callback(3)
This page is part of theselinux (Security-Enhanced Linux user- space libraries and tools) project. Information about the project can be found at ⟨https://github.com/SELinuxProject/selinux/wiki⟩. If you have a bug report for this manual page, see ⟨https://github.com/SELinuxProject/selinux/wiki/Contributing⟩. This page was obtained from the project's upstream Git repository ⟨https://github.com/SELinuxProject/selinux⟩ on 2025-08-11. (At that time, the date of the most recent commit that was found in the repository was 2025-08-04.) If you discover any rendering problems in this HTML version of the page, or you believe there is a better or more up-to-date source for the page, or you have corrections or improvements to the information in this COLOPHON (which isnot part of the original manual page), send a mail to man-pages@man7.orgSecurity Enhanced Linux 20 Oct 2015selinux_restorecon(3)Pages that refer to this page:selabel_get_digests_all_partial_matches(3), selinux_restorecon(3), selinux_restorecon_default_handle(3), selinux_restorecon_get_skipped_errors(3), selinux_restorecon_set_alt_rootpath(3), selinux_restorecon_set_exclude_list(3), selinux_restorecon_set_sehandle(3), selinux_restorecon_xattr(3), restorecon(8), setfiles(8)
HTML rendering created 2025-09-06 byMichael Kerrisk, author ofThe Linux Programming Interface. For details of in-depthLinux/UNIX system programming training courses that I teach, lookhere. Hosting byjambit GmbH. | |