[rhelv6-list] selinux (not quite) disabled?
Collins, Kevin [BEELINE]
KCollins at chevron.com
Fri Dec 3 00:38:22 UTC 2010
We don't see this in RHEL5, so apparently something has changed in selinux or how it is labelling. I'll follow up on the thread you mentioned.
Thanks,
Kevin
-----Original Message-----
From: Greg_Swift at aotx.uscourts.gov [mailto:Greg_Swift at aotx.uscourts.gov]
Sent: Thursday, December 02, 2010 4:03 PM
To: Collins, Kevin [BEELINE]
Cc: rhelv6-list at redhat.com; rhelv6-list-bounces at redhat.com
Subject: Re: [rhelv6-list] selinux (not quite) disabled?
Relabeling the filesystem actually just corrects the labeling, it does not
remove the labeling, even if selinux is disabled.
Effectively, this is a feature not a bug. All be it poorly documented.
(apparently Mac uses @ instead of .) There is documentation in the
coreutils info pages on ls:
"Following the file mode bits is a single character that specifies whether
an alternate access method such as an access control list applies to the
file. When the character following the file mode bits is a space, there is
no alternate acces method. When it is printing a character, then there is
such a method.
Gnu `ls` uses a `.' character to indicate a file with an SELinux security
context, but no other alternate access method.
A file with any other combination of alternate access methods is marked
with a `+' character."
Here is a summarized discussion from a blog by Dan Walsh (in comment
section) on Managing FIle Context
(http://danwalsh.livejournal.com/4208.html):
q: i would like to know how to completely remove ALL file labels created by
SELinux
a: you can not remove labels it is part of SELinux system
note: Dan did not state that, Anonymous did, and no one disagreed/corrected
them.
However there is a thread
(http://osdir.com/ml/fedora-selinux/2009-07/msg00087.html) about "removing
context" where someone suggests this:
find . -exec setfattr -h -x security.selinux '{}' \;
-greg
rhelv6-list-bounces at redhat.com wrote on 12/02/2010 04:54:24 PM:
>
> That didn’t seem to make any difference... :(
>
> From: rhelv6-list-bounces at redhat.com
[mailto:rhelv6-list-bounces at redhat.com]
> On Behalf Of Harrison, Jonathan
> Sent: Thursday, December 02, 2010 1:57 PM
> To: 'rhelv6-list at redhat.com'
> Subject: Re: [rhelv6-list] selinux (not quite) disabled?
>
> I believe that you can touch .autorelabel in / and then reboot to
> perform this action. I typically do this every time I set /etc/
> sysconfig/selinux to disabled.
>
> Jonathan
>
> >So, how do I make it go away? :)
>
> >Kevin
>
> >-----Original Message-----
> >From: rhelv6-list-bounces at redhat.com
> >[mailto:rhelv6-list-bounces at redhat.com] On Behalf Of Marti, Robert
> >Sent: Thursday, December 02, 2010 12:44 PM
> >To: rhelv6-list at redhat.com
> >Subject: Re: [rhelv6-list] selinux (not quite) disabled?
>
>
> >From: rhelv6-list-bounces at redhat.com [rhelv6-list-
> bounces at redhat.com] On Behalf Of Bill Nottingham [notting at redhat.com]
> >Sent: Thursday, December 02, 2010 14:38
> >To: rhelv6-list at redhat.com
> >Subject: Re: [rhelv6-list] selinux (not quite) disabled?
>
> >Collins, Kevin [BEELINE] (KCollins at chevron.com) said:
> >> In testing RHEL6, I have noted that some directories show a "." (dot)
> at
> >> the end:
>
> >It means the files/directories have a SELinux security label stored
> in an extended attribute - the attributes remain present on the
> filesystem even if SELinux is disabled.
>
> >Bill_______________________________________________
> rhelv6-list mailing list
> rhelv6-list at redhat.com
> https://www.redhat.com/mailman/listinfo/rhelv6-list
More information about the rhelv6-list
mailing list