restorecon_flags contains the labeling option/rules as follows:
SELINUX_RESTORECON_SKIP_DIGEST Do not check or update any extended attribute security.sehash entries.
SELINUX_RESTORECON_IGNORE_DIGEST force the checking of labels even if the stored SHA1 digest matches the specfile entries SHA1 digest. The specfile entries digest will be written to the security.sehash extended attribute once relabeling has been completed successfully provided the SELINUX_RESTORECON_NOCHANGE flag has not been set.
SELINUX_RESTORECON_NOCHANGE don't change any file labels (passive check) or update the digest in the security.sehash extended attribute.
SELINUX_RESTORECON_SET_SPECFILE_CTX If set, reset the files label to match the default specfile context. If not set only reset the files "type" component of the context to match the default specfile context.
SELINUX_RESTORECON_RECURSE change file and directory labels recursively (descend directories) and if successful write an SHA1 digest of the specfile entries to an extended attribute as described in the NOTES section.
SELINUX_RESTORECON_VERBOSE log file label changes.
SELINUX_RESTORECON_PROGRESS show progress by outputting the number of files in 1k blocks processed to stdout. If the SELINUX_RESTORECON_MASS_RELABEL flag is also set then the approximate percentage complete will be shown.
SELINUX_RESTORECON_MASS_RELABEL generally set when relabeling the entire OS, that will then show the approximate percentage complete. The SELINUX_RESTORECON_PROGRESS flag must also be set.
SELINUX_RESTORECON_REALPATH convert passed-in pathname to the canonical pathname using realpath(3).
SELINUX_RESTORECON_XDEV prevent descending into directories that have a different device number than the pathname entry from which the descent began.
SELINUX_RESTORECON_ADD_ASSOC attempt to add an association between an inode and a specification. If there is already an association for the inode and it conflicts with the specification, then use the last matching specification.
SELINUX_RESTORECON_ABORT_ON_ERROR abort on errors during the file tree walk.
SELINUX_RESTORECON_SYSLOG_CHANGES log any label changes to syslog(3).
SELINUX_RESTORECON_LOG_MATCHES log what specfile context matched each file.
SELINUX_RESTORECON_IGNORE_NOENTRY ignore files that do not exist.
do not read
to obtain a list of non-seclabel mounts to be excluded from relabeling checks.
Setting SELINUX_RESTORECON_IGNORE_MOUNTS is useful where there is a non-seclabel fs mounted with a seclabel fs mounted on a directory below this.
SELINUX_RESTORECON_CONFLICT_ERROR to treat conflicting specifications, such as where two hardlinks for the same inode have different contexts, as errors.
The behavior regarding the checking and updating of the SHA1 digest described above is the default behavior. It is possible to change this by first calling selabel_open(3) and not enabling the SELABEL_OPT_DIGEST option, then calling selinux_restorecon_set_sehandle(3) to set the handle to be used by selinux_restorecon(3).
If the pathname is a directory path, then it is possible to set directories to be excluded from the path by calling selinux_restorecon_set_exclude_list(3) with a NULL terminated list before calling selinux_restorecon(3).
By default selinux_restorecon(3) reads /proc/mounts to obtain a list of non-seclabel mounts to be excluded from relabeling checks unless the SELINUX_RESTORECON_IGNORE_MOUNTS flag has been set.