Re: [CentOS] selinux policy remnant according to /bin/ls on CentOS 6.0 box
Jon, Its worth noting in C6 that you really should avoid using RPM to add/remove stuff and stick with yum. Yum now supports rolling back and forward package changes, but this is broken if you do things with RPM. Tris On 20/09/2011 18:48, Jon Detert wrote: I installed CentOS 6.0 on 2 different x86_64 boxen. Both originally had selinux installed and enabled. I never touched selinux other than to remove as much of it as I could via rpm -e. As far as I can tell, here are the remaining packages that have something to do with it: # rpm -qa | grep -iE 'sel|pol' checkpolicy-2.0.22-1.el6.x86_64 libselinux-2.0.94-2.el6.x86_64 libsepol-2.0.41-3.el6.x86_64 polkit-0.96-2.el6_0.1.x86_64 # Both boxen have those packages. However: 1) box1 still has files in /selinux whereas box2's /selinux is empty; 2) ls -l on box1 shows a '.' at the end of file/directory, which means a SELinux security context applies, according to https://fedoraproject.org/wiki/Fedora_11_FAQ#Why_does_ls_show_a_dot_.28..29_or_a_plus_.28.2B.29_at_the_end_on_the_file_modes_for_some_files.3F Any idea why box1 still seems to have an selinux policy applied, and how to un-apply it? Thanks, Jon ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos * This message has been checked for viruses by the Birmingham Grid for Learning. For guidance on good e-mail practice, e-mail viruses and hoaxes please visit: http://www.bgfl.org/emailaup * * This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify postmas...@bgfl.org The views expressed within this email are those of the individual, and not necessarily those of the organisation * ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] selinux policy remnant according to /bin/ls on CentOS 6.0 box
I installed CentOS 6.0 on 2 different x86_64 boxen. Both originally had selinux installed and enabled. I never touched selinux other than to remove as much of it as I could via rpm -e. As far as I can tell, here are the remaining packages that have something to do with it: # rpm -qa | grep -iE 'sel|pol' checkpolicy-2.0.22-1.el6.x86_64 libselinux-2.0.94-2.el6.x86_64 libsepol-2.0.41-3.el6.x86_64 polkit-0.96-2.el6_0.1.x86_64 # Both boxen have those packages. However: 1) box1 still has files in /selinux whereas box2's /selinux is empty; 2) ls -l on box1 shows a '.' at the end of file/directory, which means a SELinux security context applies, according to https://fedoraproject.org/wiki/Fedora_11_FAQ#Why_does_ls_show_a_dot_.28..29_or_a_plus_.28.2B.29_at_the_end_on_the_file_modes_for_some_files.3F Any idea why box1 still seems to have an selinux policy applied, and how to un-apply it? Thanks, Jon ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] selinux policy remnant according to /bin/ls on CentOS 6.0 box
On 9/20/2011 1:48 PM, Jon Detert wrote: I installed CentOS 6.0 on 2 different x86_64 boxen. Both originally had selinux installed and enabled. I never touched selinux other than to remove as much of it as I could via rpm -e. As far as I can tell, here are the remaining packages that have something to do with it: # rpm -qa | grep -iE 'sel|pol' checkpolicy-2.0.22-1.el6.x86_64 libselinux-2.0.94-2.el6.x86_64 libsepol-2.0.41-3.el6.x86_64 polkit-0.96-2.el6_0.1.x86_64 # Both boxen have those packages. However: 1) box1 still has files in /selinux whereas box2's /selinux is empty; 2) ls -l on box1 shows a '.' at the end of file/directory, which means a SELinux security context applies, according to https://fedoraproject.org/wiki/Fedora_11_FAQ#Why_does_ls_show_a_dot_.28..29_or_a_plus_.28.2B.29_at_the_end_on_the_file_modes_for_some_files.3F Any idea why box1 still seems to have an selinux policy applied, and how to un-apply it? Thanks, Jon Did you disable SELinux by changing 'SELINUX=disabled' in /etc/sysconfig/selinux? Wouldn't that be easier than removing all the RPMs? If I may ask, is there a reason to removing the packages? Thanks, James ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] selinux policy remnant according to /bin/ls on CentOS 6.0 box
- Original Message - From: James Edwards jedwa...@bsdftw.org To: centos@centos.org Sent: Tuesday, September 20, 2011 12:52:34 PM Subject: Re: [CentOS] selinux policy remnant according to /bin/ls on CentOS 6.0 box On 9/20/2011 1:48 PM, Jon Detert wrote: I installed CentOS 6.0 on 2 different x86_64 boxen. Both originally had selinux installed and enabled. I never touched selinux other than to remove as much of it as I could via rpm -e. As far as I can tell, here are the remaining packages that have something to do with it: -- snip -- However: 1) box1 still has files in /selinux whereas box2's /selinux is empty; 2) ls -l on box1 shows a '.' at the end of file/directory, which means a SELinux security context applies, according to https://fedoraproject.org/wiki/Fedora_11_FAQ#Why_does_ls_show_a_dot_.28..29_or_a_plus_.28.2B.29_at_the_end_on_the_file_modes_for_some_files.3F Any idea why box1 still seems to have an selinux policy applied, and how to un-apply it? Thanks, Jon Did you disable SELinux by changing 'SELINUX=disabled' in /etc/sysconfig/selinux? Wouldn't that be easier than removing all I did not do so explicitly. But it is set to disabled as described above. I assume the rpm -e did that. So, there must be some other step missing. As to that being easier: perhaps, had I known that file/setting existed. the RPMs? If I may ask, is there a reason to removing the packages? I do not plan to use them. Less is more, right? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] selinux policy remnant according to /bin/ls on CentOS 6.0 box
On 9/20/2011 2:14 PM, Jon Detert wrote: Did you disable SELinux by changing 'SELINUX=disabled' in /etc/sysconfig/selinux? Wouldn't that be easier than removing all I did not do so explicitly. But it is set to disabled as described above. I assume the rpm -e did that. So, there must be some other step missing. As to that being easier: perhaps, had I known that file/setting existed. It has been my experience that after after disabling SELinux, all that is then required is a reboot. Alternatively, running 'setenforce 0', will disable it immediately. the RPMs? If I may ask, is there a reason to removing the packages? I do not plan to use them. Less is more, right? I went back and reread your original question, and I realized you had already answered that. Anyway, you are correct, less is more. Regards, James ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] selinux policy remnant according to /bin/ls on CentOS 6.0 box
On 09/20/2011 12:48 PM, Jon Detert wrote: I installed CentOS 6.0 on 2 different x86_64 boxen. Both originally had selinux installed and enabled. I never touched selinux other than to remove as much of it as I could via rpm -e. As far as I can tell, here are the remaining packages that have something to do with it: # rpm -qa | grep -iE 'sel|pol' checkpolicy-2.0.22-1.el6.x86_64 libselinux-2.0.94-2.el6.x86_64 libsepol-2.0.41-3.el6.x86_64 polkit-0.96-2.el6_0.1.x86_64 # Both boxen have those packages. However: 1) box1 still has files in /selinux whereas box2's /selinux is empty; 2) ls -l on box1 shows a '.' at the end of file/directory, ... Each inode in the file system still has a security attribute attached. You need to walk through the file system and remove them, one at a time: #!/bin/sh if [ $1 = -v ]; then verbose=y shift else verbose=n fi for F in $@;do if [ -n $(getfattr --absolute-names -n security.selinux $F 2/dev/null) ]; then [ $verbose = y ] echo $F setfattr -x security.selinux $F fi done -- Bob Nichols NOSPAM is really part of my email address. Do NOT delete it. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
