[CentOS] selinux policy remnant according to /bin/ls on CentOS 6.0 box
Robert Nichols
rnicholsNOSPAM at comcast.net
Tue Sep 20 20:35:04 UTC 2011
On 09/20/2011 12:48 PM, Jon Detert wrote:
> I installed CentOS 6.0 on 2 different x86_64 boxen. Both originally had selinux installed and enabled. I never touched selinux other than to remove as much of it as I could via rpm -e. As far as I can tell, here are the remaining packages that have something to do with it:
>
> # rpm -qa | grep -iE 'sel|pol'
> checkpolicy-2.0.22-1.el6.x86_64
> libselinux-2.0.94-2.el6.x86_64
> libsepol-2.0.41-3.el6.x86_64
> polkit-0.96-2.el6_0.1.x86_64
> #
>
> Both boxen have those packages.
>
> However:
>
> 1) box1 still has files in /selinux whereas box2's /selinux is empty;
> 2) ls -l on box1 shows a '.' at the end of file/directory,
...
Each inode in the file system still has a security attribute attached.
You need to walk through the file system and remove them, one at a
time:
#!/bin/sh
if [ "$1" = -v ]; then
verbose=y
shift
else
verbose=n
fi
for F in "$@";do
if [ -n "$(getfattr --absolute-names -n security.selinux "$F" 2>/dev/null)"
]; then
[ $verbose = y ] && echo "$F"
setfattr -x security.selinux "$F"
fi
done
--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.
More information about the CentOS
mailing list