selinux_restorecon_xattr(3) — Linux manual page

selinux_...on_xattr(3)  SELinux API documentation  selinux_...on_xattr(3)

NAME         top

       selinux_restorecon_xattr - manage default security.sehash extended
       attribute entries added by selinux_restorecon(3), setfiles(8) or
       restorecon(8).

SYNOPSIS         top

       #include <selinux/restorecon.h>

       int selinux_restorecon_xattr(const char *pathname,
                              unsigned int xattr_flags,
                              struct dir_xattr ***xattr_list);

DESCRIPTION         top

       selinux_restorecon_xattr() returns a linked list of dir_xattr
       structures containing information described below based on:

              pathname containing a directory tree to be searched for
              security.sehash extended attribute entries.

              xattr_flags contains options as follows:

                     SELINUX_RESTORECON_XATTR_RECURSE recursively descend
                     directories.

                     SELINUX_RESTORECON_XATTR_DELETE_NONMATCH_DIGESTS
                     delete non-matching digests from each directory in
                     pathname.

                     SELINUX_RESTORECON_XATTR_DELETE_ALL_DIGESTS delete
                     all digests from each directory in pathname.

                     SELINUX_RESTORECON_XATTR_IGNORE_MOUNTS do not read
                     /proc/mounts to obtain a list of non-seclabel mounts
                     to be excluded from the search.
                     Setting SELINUX_RESTORECON_XATTR_IGNORE_MOUNTS is
                     useful where there is a non-seclabel fs mounted with
                     a seclabel fs mounted on a directory below this.

              xattr_list is the returned pointer to a linked list of
              dir_xattr structures, each containing the following
              information:

                     struct dir_xattr {
                         char *directory;
                         char *digest;    /* Printable hex encoded string */
                         enum digest_result result;
                         struct dir_xattr *next;
                     };

              The result entry is enumerated as follows:
                     enum digest_result {
                         MATCH = 0,
                         NOMATCH,
                         DELETED_MATCH,
                         DELETED_NOMATCH,
                         ERROR
                     };

              xattr_list must be set to NULL before calling
              selinux_restorecon_xattr(3).  The caller is responsible for
              freeing the returned xattr_list entries in the linked list.

       See the NOTES section for more information.

RETURN VALUE         top

       On success, zero is returned.  On error, -1 is returned and errno
       is set appropriately.

NOTES         top

       1.  By default selinux_restorecon_xattr(3) will use the default
           set of specfiles described in files_contexts(5) to calculate
           the SHA1 digests to be used for comparison.  To change this
           default behavior selabel_open(3) must be called specifying the
           required SELABEL_OPT_PATH and setting the SELABEL_OPT_DIGEST
           option to a non-NULL value.
           selinux_restorecon_set_sehandle(3) is then called to set the
           handle to be used by selinux_restorecon_xattr(3).

       2.  By default selinux_restorecon_xattr(3) reads /proc/mounts to
           obtain a list of non-seclabel mounts to be excluded from
           searches unless the SELINUX_RESTORECON_XATTR_IGNORE_MOUNTS
           flag has been set.

       3.  RAMFS and TMPFS filesystems do not support the security.sehash
           extended attribute and are automatically excluded from
           searches.

       4.  By default stderr is used to log output messages and errors.
           This may be changed by calling selinux_set_callback(3) with
           the SELINUX_CB_LOG type option.

SEE ALSO         top

       selinux_restorecon(3)
       selinux_restorecon_set_sehandle(3),
       selinux_restorecon_default_handle(3),
       selinux_restorecon_set_exclude_list(3),
       selinux_restorecon_set_alt_rootpath(3),
       selinux_set_callback(3)

COLOPHON         top

       This page is part of the selinux (Security-Enhanced Linux user-
       space libraries and tools) project.  Information about the project
       can be found at ⟨https://github.com/SELinuxProject/selinux/wiki⟩.
       If you have a bug report for this manual page, see
       ⟨https://github.com/SELinuxProject/selinux/wiki/Contributing⟩.
       This page was obtained from the project's upstream Git repository
       ⟨https://github.com/SELinuxProject/selinux⟩ on 2025-08-11.  (At
       that time, the date of the most recent commit that was found in
       the repository was 2025-08-04.)  If you discover any rendering
       problems in this HTML version of the page, or you believe there is
       a better or more up-to-date source for the page, or you have
       corrections or improvements to the information in this COLOPHON
       (which is not part of the original manual page), send a mail to
       [email protected]

                               30 July 2016        selinux_...on_xattr(3)

Pages that refer to this page: selinux_restorecon(3),  selinux_restorecon_default_handle(3),  selinux_restorecon_set_alt_rootpath(3),  selinux_restorecon_set_exclude_list(3),  selinux_restorecon_set_sehandle(3),  selinux_restorecon_xattr(3)

HTML rendering created 2025-09-06 by Michael Kerrisk, author of The Linux Programming Interface. For details of in-depth Linux/UNIX system programming training courses that I teach, look here. Hosting by jambit GmbH.