SELinux scares people, to put it simply. Instead of fixing thinks to work with it, it gets disabled so no one has to deal with it. I'd rather fix it, but the normal complaint is lack of time to do it right. I normally set it to permissive mode and make a note to come back and address the issues later. So far later hasn't come.
Sent from my iPhone On Dec 2, 2010, at 6:39 PM, "[email protected]" <[email protected]> wrote: > Out of curiosity, > > why are people disabling SELinux in RHEL6? Is it because of habit > from RHEL4 / RHEL5? I thought SELinux would be vastly improved for > RHEL6 but it appears people are quick to disable it. I just want to > know why. > > Also, it appears there are a lot more features in RHEL6 to help > administer SELinux and the documentation for it is also pretty well > done. > > ~rp > > On Thu, Dec 2, 2010 at 7:02 PM, <[email protected]> wrote: >> >> Relabeling the filesystem actually just corrects the labeling, it does not >> remove the labeling, even if selinux is disabled. >> >> Effectively, this is a feature not a bug. All be it poorly documented. >> (apparently Mac uses @ instead of .) There is documentation in the >> coreutils info pages on ls: >> >> "Following the file mode bits is a single character that specifies whether >> an alternate access method such as an access control list applies to the >> file. When the character following the file mode bits is a space, there is >> no alternate acces method. When it is printing a character, then there is >> such a method. >> >> Gnu `ls` uses a `.' character to indicate a file with an SELinux security >> context, but no other alternate access method. >> >> A file with any other combination of alternate access methods is marked >> with a `+' character." >> >> >> Here is a summarized discussion from a blog by Dan Walsh (in comment >> section) on Managing FIle Context >> (http://danwalsh.livejournal.com/4208.html): >> >> q: i would like to know how to completely remove ALL file labels created by >> SELinux >> a: you can not remove labels it is part of SELinux system >> >> note: Dan did not state that, Anonymous did, and no one disagreed/corrected >> them. >> >> >> However there is a thread >> (http://osdir.com/ml/fedora-selinux/2009-07/msg00087.html) about "removing >> context" where someone suggests this: >> >> find . -exec setfattr -h -x security.selinux '{}' \; >> >> -greg >> >> [email protected] wrote on 12/02/2010 04:54:24 PM: >> >>> >>> That didn’t seem to make any difference... :( >>> >>> From: [email protected] >> [mailto:[email protected]] >>> On Behalf Of Harrison, Jonathan >>> Sent: Thursday, December 02, 2010 1:57 PM >>> To: '[email protected]' >>> Subject: Re: [rhelv6-list] selinux (not quite) disabled? >>> >>> I believe that you can touch .autorelabel in / and then reboot to >>> perform this action. I typically do this every time I set /etc/ >>> sysconfig/selinux to disabled. >>> >>> Jonathan >>> >>>> So, how do I make it go away? :) >>> >>>> Kevin >>> >>>> -----Original Message----- >>>> From: [email protected] >>>> [mailto:[email protected]] On Behalf Of Marti, Robert >>>> Sent: Thursday, December 02, 2010 12:44 PM >>>> To: [email protected] >>>> Subject: Re: [rhelv6-list] selinux (not quite) disabled? >>> >>> >>>> From: [email protected] [rhelv6-list- >>> [email protected]] On Behalf Of Bill Nottingham [[email protected]] >>>> Sent: Thursday, December 02, 2010 14:38 >>>> To: [email protected] >>>> Subject: Re: [rhelv6-list] selinux (not quite) disabled? >>> >>>> Collins, Kevin [BEELINE] ([email protected]) said: >>>>> In testing RHEL6, I have noted that some directories show a "." (dot) >>> at >>>>> the end: >>> >>>> It means the files/directories have a SELinux security label stored >>> in an extended attribute - the attributes remain present on the >>> filesystem even if SELinux is disabled. >>> >>>> Bill_______________________________________________ >>> rhelv6-list mailing list >>> [email protected] >>> https://www.redhat.com/mailman/listinfo/rhelv6-list >> >> _______________________________________________ >> rhelv6-list mailing list >> [email protected] >> https://www.redhat.com/mailman/listinfo/rhelv6-list >> > > _______________________________________________ > rhelv6-list mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/rhelv6-list _______________________________________________ rhelv6-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/rhelv6-list
