My response would be that a) I don't have time to investigate selinux changes/improvements since I barely have time to plan/test/execute an upgrade, b) yes, out of habit from previous versions and c) in an environment full of (mainly) Unix admins we try and keep things as Unix-y as possible.
Kevin -----Original Message----- From: [email protected] [mailto:[email protected]] Sent: Thursday, December 02, 2010 4:37 PM To: [email protected] Cc: Collins, Kevin [BEELINE]; [email protected]; [email protected] Subject: Re: [rhelv6-list] selinux (not quite) disabled? Out of curiosity, why are people disabling SELinux in RHEL6? Is it because of habit from RHEL4 / RHEL5? I thought SELinux would be vastly improved for RHEL6 but it appears people are quick to disable it. I just want to know why. Also, it appears there are a lot more features in RHEL6 to help administer SELinux and the documentation for it is also pretty well done. ~rp On Thu, Dec 2, 2010 at 7:02 PM, <[email protected]> wrote: > > Relabeling the filesystem actually just corrects the labeling, it does not > remove the labeling, even if selinux is disabled. > > Effectively, this is a feature not a bug. All be it poorly documented. > (apparently Mac uses @ instead of .) There is documentation in the > coreutils info pages on ls: > > "Following the file mode bits is a single character that specifies whether > an alternate access method such as an access control list applies to the > file. When the character following the file mode bits is a space, there is > no alternate acces method. When it is printing a character, then there is > such a method. > > Gnu `ls` uses a `.' character to indicate a file with an SELinux security > context, but no other alternate access method. > > A file with any other combination of alternate access methods is marked > with a `+' character." > > > Here is a summarized discussion from a blog by Dan Walsh (in comment > section) on Managing FIle Context > (http://danwalsh.livejournal.com/4208.html): > > q: i would like to know how to completely remove ALL file labels created by > SELinux > a: you can not remove labels it is part of SELinux system > > note: Dan did not state that, Anonymous did, and no one disagreed/corrected > them. > > > However there is a thread > (http://osdir.com/ml/fedora-selinux/2009-07/msg00087.html) about "removing > context" where someone suggests this: > > find . -exec setfattr -h -x security.selinux '{}' \; > > -greg > > [email protected] wrote on 12/02/2010 04:54:24 PM: > >> >> That didn't seem to make any difference... :( >> >> From: [email protected] > [mailto:[email protected]] >> On Behalf Of Harrison, Jonathan >> Sent: Thursday, December 02, 2010 1:57 PM >> To: '[email protected]' >> Subject: Re: [rhelv6-list] selinux (not quite) disabled? >> >> I believe that you can touch .autorelabel in / and then reboot to >> perform this action. I typically do this every time I set /etc/ >> sysconfig/selinux to disabled. >> >> Jonathan >> >> >So, how do I make it go away? :) >> >> >Kevin >> >> >-----Original Message----- >> >From: [email protected] >> >[mailto:[email protected]] On Behalf Of Marti, Robert >> >Sent: Thursday, December 02, 2010 12:44 PM >> >To: [email protected] >> >Subject: Re: [rhelv6-list] selinux (not quite) disabled? >> >> >> >From: [email protected] [rhelv6-list- >> [email protected]] On Behalf Of Bill Nottingham [[email protected]] >> >Sent: Thursday, December 02, 2010 14:38 >> >To: [email protected] >> >Subject: Re: [rhelv6-list] selinux (not quite) disabled? >> >> >Collins, Kevin [BEELINE] ([email protected]) said: >> >> In testing RHEL6, I have noted that some directories show a "." (dot) >> at >> >> the end: >> >> >It means the files/directories have a SELinux security label stored >> in an extended attribute - the attributes remain present on the >> filesystem even if SELinux is disabled. >> >> >Bill_______________________________________________ >> rhelv6-list mailing list >> [email protected] >> https://www.redhat.com/mailman/listinfo/rhelv6-list > > _______________________________________________ > rhelv6-list mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/rhelv6-list > _______________________________________________ rhelv6-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/rhelv6-list
