[rhelv6-list] selinux (not quite) disabled?
robinprice at gmail.com
robinprice at gmail.com
Fri Dec 3 00:37:16 UTC 2010
Out of curiosity,
why are people disabling SELinux in RHEL6? Is it because of habit
from RHEL4 / RHEL5? I thought SELinux would be vastly improved for
RHEL6 but it appears people are quick to disable it. I just want to
know why.
Also, it appears there are a lot more features in RHEL6 to help
administer SELinux and the documentation for it is also pretty well
done.
~rp
On Thu, Dec 2, 2010 at 7:02 PM, <Greg_Swift at aotx.uscourts.gov> wrote:
>
> Relabeling the filesystem actually just corrects the labeling, it does not
> remove the labeling, even if selinux is disabled.
>
> Effectively, this is a feature not a bug. All be it poorly documented.
> (apparently Mac uses @ instead of .) There is documentation in the
> coreutils info pages on ls:
>
> "Following the file mode bits is a single character that specifies whether
> an alternate access method such as an access control list applies to the
> file. When the character following the file mode bits is a space, there is
> no alternate acces method. When it is printing a character, then there is
> such a method.
>
> Gnu `ls` uses a `.' character to indicate a file with an SELinux security
> context, but no other alternate access method.
>
> A file with any other combination of alternate access methods is marked
> with a `+' character."
>
>
> Here is a summarized discussion from a blog by Dan Walsh (in comment
> section) on Managing FIle Context
> (http://danwalsh.livejournal.com/4208.html):
>
> q: i would like to know how to completely remove ALL file labels created by
> SELinux
> a: you can not remove labels it is part of SELinux system
>
> note: Dan did not state that, Anonymous did, and no one disagreed/corrected
> them.
>
>
> However there is a thread
> (http://osdir.com/ml/fedora-selinux/2009-07/msg00087.html) about "removing
> context" where someone suggests this:
>
> find . -exec setfattr -h -x security.selinux '{}' \;
>
> -greg
>
> rhelv6-list-bounces at redhat.com wrote on 12/02/2010 04:54:24 PM:
>
>>
>> That didn’t seem to make any difference... :(
>>
>> From: rhelv6-list-bounces at redhat.com
> [mailto:rhelv6-list-bounces at redhat.com]
>> On Behalf Of Harrison, Jonathan
>> Sent: Thursday, December 02, 2010 1:57 PM
>> To: 'rhelv6-list at redhat.com'
>> Subject: Re: [rhelv6-list] selinux (not quite) disabled?
>>
>> I believe that you can touch .autorelabel in / and then reboot to
>> perform this action. I typically do this every time I set /etc/
>> sysconfig/selinux to disabled.
>>
>> Jonathan
>>
>> >So, how do I make it go away? :)
>>
>> >Kevin
>>
>> >-----Original Message-----
>> >From: rhelv6-list-bounces at redhat.com
>> >[mailto:rhelv6-list-bounces at redhat.com] On Behalf Of Marti, Robert
>> >Sent: Thursday, December 02, 2010 12:44 PM
>> >To: rhelv6-list at redhat.com
>> >Subject: Re: [rhelv6-list] selinux (not quite) disabled?
>>
>>
>> >From: rhelv6-list-bounces at redhat.com [rhelv6-list-
>> bounces at redhat.com] On Behalf Of Bill Nottingham [notting at redhat.com]
>> >Sent: Thursday, December 02, 2010 14:38
>> >To: rhelv6-list at redhat.com
>> >Subject: Re: [rhelv6-list] selinux (not quite) disabled?
>>
>> >Collins, Kevin [BEELINE] (KCollins at chevron.com) said:
>> >> In testing RHEL6, I have noted that some directories show a "." (dot)
>> at
>> >> the end:
>>
>> >It means the files/directories have a SELinux security label stored
>> in an extended attribute - the attributes remain present on the
>> filesystem even if SELinux is disabled.
>>
>> >Bill_______________________________________________
>> rhelv6-list mailing list
>> rhelv6-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/rhelv6-list
>
> _______________________________________________
> rhelv6-list mailing list
> rhelv6-list at redhat.com
> https://www.redhat.com/mailman/listinfo/rhelv6-list
>
More information about the rhelv6-list
mailing list