removing context

David P. Quigley dpquigl at tycho.nsa.gov
Wed Jul 8 19:34:54 UTC 2009 

On Wed, 2009-07-08 at 12:27 -0700, Brian Krusic wrote:
> On Jul 8, 2009, at 12:19 PM, Mike Cloaked wrote:
> 
> >
> >
> >
> > Brian Krusic wrote:
> >>
> >> Hi,
> >>
> >> When doing an ls -lZ, some files show a security context like;
> >>
> >> root:object_r:user_home_t:s0
> >>
> >> ... while some don't.
> >>
> >> Does any one know how to remove this context either on a file, dir or
> >> file system level?
> >>
> >>
> >
> > Why do you want to remove them - if selinux is enforcing (as it  
> > should be in
> > an up to date version of Fedora ) then all files should have a  
> > context and
> > your best security is when selinux is set up correctly to work with  
> > your
> > system.  In F10 selinux did have a number of tweaks needed to get it  
> > going
> > but in F11 it is likely to need very few tweaks.
> > -- 
> > View this message in context: http://www.nabble.com/removing-context-tp24396015p24397663.html
> > Sent from the Fedora SELinux List mailing list archive at Nabble.com.
> 
> I'm glad you asked the question.
> 
> I have selinux disabled first and foremost.
> 
> However the context labels still exist on some files which cause a  
> problem doing dump/restore over NFS.
> 
> Let me explain;
> 
> While dump/restore works over NFS in general, they don't work with  
> selinux context so I keep getting errors like;
> 
> restore: ./etc/ysyconfig/network-scripts/ifcfg-eth0: EA set  
> security.selinux:system_u:object_r:etc_t:s0 failed: Operation not  
> supported.
> 
> And while the dump/restore works and the files get copied, this error  
> causes my incremental backs to work as full backups.  Also, this  
> muddies my log files which i rely on.  Image half the files on the  
> system kicking out this error.
> 
> Thanks in advance,
> - Brian
> 
> 
> 
> 
> >
> >
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list


Have you tried something like

cd /
find . -exec setfattr -h -x security.selinux '{}'\;

I know on an SELinux enabled system this will fail because you can't
outright remove the security.selinux xattr but if it falls back to the
generic xattr handlers it should be allowed. I'm not sure how the exec
directive will handle the -h and -x options so you may have to fiddle
with that.

- Dave

More information about the fedora-selinux-list mailing list