[rhelv6-list] selinux (not quite) disabled?

Marti, Robert RJM002 at shsu.edu
Fri Dec 3 00:59:55 UTC 2010 

SELinux scares people, to put it simply. Instead of fixing thinks to work with it, it gets disabled so no one has to deal with it. I'd rather fix it, but the normal complaint is lack of time to do it right. I normally set it to permissive mode and make a note to come back and address the issues later. So far later hasn't come. 

Sent from my iPhone

On Dec 2, 2010, at 6:39 PM, "robinprice at gmail.com" <robinprice at gmail.com> wrote:

> Out of curiosity,
> 
> why are people disabling SELinux in RHEL6?  Is it because of habit
> from RHEL4 / RHEL5?  I thought SELinux would be vastly improved for
> RHEL6 but it appears people are quick to disable it.  I just want to
> know why.
> 
> Also, it appears there are a lot more features in RHEL6 to help
> administer SELinux and the documentation for it is also pretty well
> done.
> 
> ~rp
> 
> On Thu, Dec 2, 2010 at 7:02 PM,  <Greg_Swift at aotx.uscourts.gov> wrote:
>> 
>> Relabeling the filesystem actually just corrects the labeling, it does not
>> remove the labeling, even if selinux is disabled.
>> 
>> Effectively, this is a feature not a bug. All be it poorly documented.
>> (apparently Mac uses @ instead of .)  There is documentation in the
>> coreutils info pages on ls:
>> 
>> "Following the file mode bits is a single character that specifies whether
>> an alternate access method such as an access control list applies to the
>> file.  When the character following the file mode bits is a space, there is
>> no alternate acces method.  When it is printing a character, then there is
>> such a method.
>> 
>> Gnu `ls` uses a `.' character to indicate a file with an SELinux security
>> context, but no other alternate access method.
>> 
>> A file with any other combination of alternate access methods is marked
>> with a `+' character."
>> 
>> 
>> Here is a summarized discussion from a blog by Dan Walsh (in comment
>> section) on Managing FIle Context
>> (http://danwalsh.livejournal.com/4208.html):
>> 
>> q: i would like to know how to completely remove ALL file labels created by
>> SELinux
>> a: you can not remove labels it is part of SELinux system
>> 
>> note: Dan did not state that, Anonymous did, and no one disagreed/corrected
>> them.
>> 
>> 
>> However there is a thread
>> (http://osdir.com/ml/fedora-selinux/2009-07/msg00087.html) about "removing
>> context" where someone suggests this:
>> 
>> find . -exec setfattr -h -x security.selinux '{}' \;
>> 
>> -greg
>> 
>> rhelv6-list-bounces at redhat.com wrote on 12/02/2010 04:54:24 PM:
>> 
>>> 
>>> That didn’t seem to make any difference... :(
>>> 
>>> From: rhelv6-list-bounces at redhat.com
>> [mailto:rhelv6-list-bounces at redhat.com]
>>> On Behalf Of Harrison, Jonathan
>>> Sent: Thursday, December 02, 2010 1:57 PM
>>> To: 'rhelv6-list at redhat.com'
>>> Subject: Re: [rhelv6-list] selinux (not quite) disabled?
>>> 
>>> I believe that you can touch .autorelabel in / and then reboot to
>>> perform this action.  I typically do this every time I set /etc/
>>> sysconfig/selinux to disabled.
>>> 
>>> Jonathan
>>> 
>>>> So, how do I make it go away?  :)
>>> 
>>>> Kevin
>>> 
>>>> -----Original Message-----
>>>> From: rhelv6-list-bounces at redhat.com
>>>> [mailto:rhelv6-list-bounces at redhat.com] On Behalf Of Marti, Robert
>>>> Sent: Thursday, December 02, 2010 12:44 PM
>>>> To: rhelv6-list at redhat.com
>>>> Subject: Re: [rhelv6-list] selinux (not quite) disabled?
>>> 
>>> 
>>>> From: rhelv6-list-bounces at redhat.com [rhelv6-list-
>>> bounces at redhat.com] On Behalf Of Bill Nottingham [notting at redhat.com]
>>>> Sent: Thursday, December 02, 2010 14:38
>>>> To: rhelv6-list at redhat.com
>>>> Subject: Re: [rhelv6-list] selinux (not quite) disabled?
>>> 
>>>> Collins, Kevin [BEELINE] (KCollins at chevron.com) said:
>>>>> In testing RHEL6, I have noted that some directories show a "." (dot)
>>> at
>>>>> the end:
>>> 
>>>> It means the files/directories have a SELinux security label stored
>>> in an extended attribute - the attributes remain present on the
>>> filesystem even if SELinux is disabled.
>>> 
>>>> Bill_______________________________________________
>>> rhelv6-list mailing list
>>> rhelv6-list at redhat.com
>>> https://www.redhat.com/mailman/listinfo/rhelv6-list
>> 
>> _______________________________________________
>> rhelv6-list mailing list
>> rhelv6-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/rhelv6-list
>> 
> 
> _______________________________________________
> rhelv6-list mailing list
> rhelv6-list at redhat.com
> https://www.redhat.com/mailman/listinfo/rhelv6-list

More information about the rhelv6-list mailing list