RepoMirrors/selinux
1
0
Fork 0
mirror of https://github.com/SELinuxProject/selinux synced 2025-04-06 17:47:48 +00:00
Code Issues Packages Projects Releases Wiki Activity
02f302fc5b
selinux/libselinux/man/man3/selinux_restorecon.3
Ondrej Mosnacek 02f302fc5b selinux_restorecon: introduce selinux_restorecon_parallel(3) 
Refactor selinux_restorecon(3) to allow for distributing the relabeling
to multiple threads and add a new function
selinux_restorecon_parallel(3), which allows specifying the number of
threads to use. The existing selinux_restorecon(3) function maintains
the same interface and maintains the same behavior (i.e. relabeling is
done on a single thread).

The parallel implementation takes a simple approach of performing all
the directory tree traversal in a critical section and only letting the
relabeling of individual objects run in parallel. Thankfully, this
approach turns out to be efficient enough in practice, as shown by
restorecon benchmarks (detailed in a subsequent patch that switches
setfiles & restorecon to use selinux_restorecon_parallel(3)).

Note that to be able to use the parallelism, the calling application/
library must be explicitly linked to the libpthread library (statically
or dynamically). This is necessary to mantain the requirement that
libselinux shouldn't explicitly link with libpthread. (I don't know what
exactly was the reason behind this requirement as the commit logs are
fuzzy, but special care has been taken in the past to maintain it, so I
didn't want to break it...)

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2021-11-23 10:03:18 +01:00

289 lines
7.8 KiB
Groff
Raw Blame History

.TH "selinux_restorecon" "3" "20 Oct 2015" "Security Enhanced Linux" "SELinux API documentation"
.SH "NAME"
selinux_restorecon \- restore file(s) default SELinux security contexts
.
.SH "SYNOPSIS"
.B #include <selinux/restorecon.h>
.sp
.BI "int selinux_restorecon(const char *" pathname ,
.in +\w'int selinux_restorecon('u
.br
.BI "unsigned int " restorecon_flags ");"
.in
.sp
.BI "int selinux_restorecon_parallel(const char *" pathname ,
.in +\w'int selinux_restorecon_parallel('u
.br
.BI "unsigned int " restorecon_flags ","
.br
.BI "size_t " nthreads ");"
.in
.
.SH "DESCRIPTION"
.BR selinux_restorecon ()
restores file default security contexts on filesystems that support extended
attributes (see
.BR xattr (7)),
based on:
.sp
.RS
.IR pathname
containing a directory or file to be relabeled.
.br
If this is a directory and the
.IR restorecon_flags
.B SELINUX_RESTORECON_RECURSE
has been set (for descending through directories), then
.BR selinux_restorecon ()
will write an SHA1 digest of specfile entries calculated by
.BR selabel_get_digests_all_partial_matches (3)
to an extended attribute of
.IR security.sehash
once the relabeling has been completed successfully (see the
.B NOTES
section for details).
.br
These digests will be checked should
.BR selinux_restorecon ()
be rerun with the
.IR restorecon_flags
.B SELINUX_RESTORECON_RECURSE
flag set. If any of the specfile entries had been updated, the digest
will also be updated. However if the digest is the same, no relabeling checks
will take place.
.br
The
.IR restorecon_flags
that can be used to manage the usage of the SHA1 digest are:
.RS
.B SELINUX_RESTORECON_SKIP_DIGEST
.br
.B SELINUX_RESTORECON_IGNORE_DIGEST
.RE
.sp
.IR restorecon_flags
contains the labeling option/rules as follows:
.sp
.RS
.sp
.B SELINUX_RESTORECON_SKIP_DIGEST
Do not check or update any extended attribute
.IR security.sehash
entries.
.sp
.B SELINUX_RESTORECON_IGNORE_DIGEST
force the checking of labels even if the stored SHA1 digest matches the
specfile entries SHA1 digest. The specfile entries digest will be written to the
.IR security.sehash
extended attribute once relabeling has been completed successfully provided the
.B SELINUX_RESTORECON_NOCHANGE
flag has not been set.
.sp
.B SELINUX_RESTORECON_NOCHANGE
don't change any file labels (passive check) or update the digest in the
.IR security.sehash
extended attribute.
.sp
.B SELINUX_RESTORECON_SET_SPECFILE_CTX
If set, reset the files label to match the default specfile context.
If not set only reset the files "type" component of the context to match the
default specfile context.
.sp
.B SELINUX_RESTORECON_RECURSE
change file and directory labels recursively (descend directories)
and if successful write an SHA1 digest of the specfile entries to an
extended attribute as described in the
.B NOTES
section.
.sp
.B SELINUX_RESTORECON_VERBOSE
log file label changes.
.RS
Note that if
.B SELINUX_RESTORECON_VERBOSE
and
.B SELINUX_RESTORECON_PROGRESS
flags are set, then
.B SELINUX_RESTORECON_PROGRESS
will take precedence.
.RE
.sp
.B SELINUX_RESTORECON_PROGRESS
show progress by outputting the number of files in 1k blocks processed
to stdout. If the
.B SELINUX_RESTORECON_MASS_RELABEL
flag is also set then the approximate percentage complete will be shown.
.sp
.B SELINUX_RESTORECON_MASS_RELABEL
generally set when relabeling the entire OS, that will then show the
approximate percentage complete. The
.B SELINUX_RESTORECON_PROGRESS
flag must also be set.
.sp
.B SELINUX_RESTORECON_REALPATH
convert passed-in
.I pathname
to the canonical pathname using
.BR realpath (3).
.sp
.B SELINUX_RESTORECON_XDEV
prevent descending into directories that have a different device number than
the
.I pathname
entry from which the descent began.
.sp
.B SELINUX_RESTORECON_ADD_ASSOC
attempt to add an association between an inode and a specification. If there
is already an association for the inode and it conflicts with the
specification, then use the last matching specification.
.sp
.B SELINUX_RESTORECON_ABORT_ON_ERROR
abort on errors during the file tree walk.
.sp
.B SELINUX_RESTORECON_SYSLOG_CHANGES
log any label changes to
.BR syslog (3).
.sp
.B SELINUX_RESTORECON_LOG_MATCHES
log what specfile context matched each file.
.sp
.B SELINUX_RESTORECON_IGNORE_NOENTRY
ignore files that do not exist.
.sp
.B SELINUX_RESTORECON_IGNORE_MOUNTS
do not read
.B /proc/mounts
to obtain a list of non-seclabel mounts to be excluded from relabeling checks.
.br
Setting
.B SELINUX_RESTORECON_IGNORE_MOUNTS
is useful where there is a non-seclabel fs mounted with a seclabel fs mounted
on a directory below this.
.sp
.B SELINUX_RESTORECON_CONFLICT_ERROR
to treat conflicting specifications, such as where two hardlinks for the
same inode have different contexts, as errors.
.RE
.sp
The behavior regarding the checking and updating of the SHA1 digest described
above is the default behavior. It is possible to change this by first calling
.BR selabel_open (3)
and not enabling the
.B SELABEL_OPT_DIGEST
option, then calling
.BR selinux_restorecon_set_sehandle (3)
to set the handle to be used by
.BR selinux_restorecon (3).
.sp
If the
.I pathname
is a directory path, then it is possible to set directories to be excluded
from the path by calling
.BR selinux_restorecon_set_exclude_list (3)
with a
.B NULL
terminated list before calling
.BR selinux_restorecon (3).
.sp
By default
.BR selinux_restorecon (3)
reads
.B /proc/mounts
to obtain a list of non-seclabel mounts to be excluded from relabeling checks
unless the
.B SELINUX_RESTORECON_IGNORE_MOUNTS
flag has been set.
.RE
.sp
.BR selinux_restorecon_parallel()
is similar to
.BR selinux_restorecon (3),
but accepts another parameter that allows to run relabeling over multiple
threads:
.sp
.RS
.IR nthreads
specifies the number of threads to use during relabeling. When set to 1,
the behavior is the same as calling
.BR selinux_restorecon (3).
When set to 0, the function will try to use as many threads as there are
online CPU cores. When set to any other number, the function will try to use
the given number of threads.
.sp
Note that to use the parallel relabeling capability, the calling process
must be linked with the
.B libpthread
library (either at compile time or dynamically at run time). Otherwise the
function will print a warning and fall back to the single threaded mode.
.
.SH "RETURN VALUE"
On success, zero is returned. On error, \-1 is returned and
.I errno
is set appropriately.
.
.SH "NOTES"
.IP "1." 4
To improve performance when relabeling file systems recursively (e.g. the
.IR restorecon_flags
.B SELINUX_RESTORECON_RECURSE
flag is set)
.BR selinux_restorecon ()
will write a calculated SHA1 digest of the specfile entries returned by
.BR selabel_get_digests_all_partial_matches (3)
to an extended attribute named
.IR security.sehash
for each directory in the
.IR pathname
path.
.IP "2." 4
To check the extended attribute entry use
.BR getfattr (1) ,
for example:
.sp
.RS
.RS
getfattr -e hex -n security.sehash /
.RE
.RE
.IP "3." 4
Should any of the specfile entries have changed, then when
.BR selinux_restorecon ()
is run again with the
.B SELINUX_RESTORECON_RECURSE
flag set, new SHA1 digests will be calculated and all files automatically
relabeled depending on the settings of the
.B SELINUX_RESTORECON_SET_SPECFILE_CTX
flag (provided
.B SELINUX_RESTORECON_NOCHANGE
is not set).
.IP "4." 4
.B /sys
and in-memory filesystems do not support the
.IR security.sehash
extended attribute and are automatically excluded from any relabeling checks.
.IP "5." 4
By default
.B stderr
is used to log output messages and errors. This may be changed by calling
.BR selinux_set_callback (3)
with the
.B SELINUX_CB_LOG
.I type
option.
.
.SH "SEE ALSO"
.BR selabel_get_digests_all_partial_matches (3),
.br
.BR selinux_restorecon_set_sehandle (3),
.br
.BR selinux_restorecon_default_handle (3),
.br
.BR selinux_restorecon_set_exclude_list (3),
.br
.BR selinux_restorecon_set_alt_rootpath (3),
.br
.BR selinux_restorecon_xattr (3),
.br
.BR selinux_set_callback (3)
Reference in New Issue View Git Blame Copy Permalink