====== Getting rid of SELinux labels ====== Even if I'm using Fedora, I'm not very fond of <color purple>''SELinux''</color>. I find the policies to be way too complicated to customize, and it seems one just have to cope with the policies made by the distributor, and barely have any chance to adapt it. They even bundle <color red>''setroubleshootd''</color> on Fedora, which will happily ask a desktop applet to pop up and try to explain the user what <color purple>''SELinux''</color> did just blocked. When problems with <color purple>''SELinux''</color> arise, the main solution seems to be "hey, just set it to permissive, and your stuff will work !". Yay. I personally prefer the <color purple>''grsecurity''</color> patches over <color purple>''SELinux''</color>, but that's a whole different discussion anyway. As you may have guessed by now, one of the first things I do after installing a Fedora system is appending <color purple>''selinux=0''</color> to the kernel command line in my <color green>''/boot/grub/menu.lst''</color>. This way, everything behaves as if <color purple>''SELinux''</color> support was not even compiled into the kernel. Now, if you have started your system at least once without totally disabling <color purple>''SELinux''</color>, it will have labeled all your files (this is part of the <color purple>''SELinux''</color> process and is needed for it to work). The files have their label stored using the extended attributes feature of ext2/3/4 filesystems. How it works is beyond the scope of this post. I was looking for a way to get rid of all these labels, as I never have <color purple>''SELinux''</color> enabled and I don't have any reason to keep them on my filesystem. Here's the magic command: <code console> # find / -print0 | xargs -r0 setfattr -x security.selinux 2>/dev/null </code> I assume here you want to delete all <color purple>''SELinux''</color> labels on your whole filesystem, including all mountpoints (as I did). The ''2>/dev/null'' part is just to avoid polluting the console with messages telling that there's no <color purple>''SELinux''</color> label for files that were not labeled. The command above will just do nothing on those files. Note that the command won't change any file contents, just delete the extended attribute. And voila, a clean filesystem without <color purple>''SELinux''</color> labels ! ~~META:date created=2009-06-16 20:09:00~~