SELinux remove extended ACL

2

I have a set of files that can't have selinux's extended acl on them. When running ls -la I get a result similar to:

-rwxr-xr-x.  1 root root    1 Aug  8  2014 filea
-rwxr-xr-x.  1 root root    1 Aug  8  2014 fileb
          ^ Note the dot

SELinux is set to permissive, but I can't run the command sudo setfattr -h -x security.selinux filea, it returns the error setfattr: filea: Permission denied. If I completely disable SELinux this works though.

The issue is that disabling SELinux requires a restart of the server, which isn't possible. Is there any way to remove SELinux file ACLs (aka remove that dot in ls -la) without restarting the server?

Ben

Posted 2015-03-03T03:47:06.400

Reputation: 459

Answers

2

SELinux ACLs aren't set directly on the files, so no, you can't really.

All SELinux access rules are applied to "contexts"; all processes and all files live in one context or another, and the dot only means that the file has a specific SELinux context assigned to it (see ls -Z) as opposed to the default one (unconfined_u:object_r:default_t).

If the current rules allow it, you can change a file's security context (relabel it) using chcon.

user1686

Posted 2015-03-03T03:47:06.400

Reputation: 283 655

Asked: 2015-03-03T03:47:06.400

Viewed: 3 884 times

Active: 2015-03-03T06:38:21.680