Even if I’m using Fedora, I’m not very fond of SELinux
. I find the policies to be way too complicated to customize, and it seems one just have to cope with the policies made by the distributor, and barely have any chance to adapt it. They even bundle setroubleshootd
on Fedora, which will happily ask a desktop applet to pop up and try to explain the user what SELinux
did just blocked. When problems with SELinux
arise, the main solution seems to be “hey, just set it to permissive, and your stuff will work!”. Yay. I personally prefer the grsecurity
patches over SELinux
, but that’s a whole different discussion anyway.
As you may have guessed by now, one of the first things I do after installing a Fedora system is appending selinux=0
to the kernel command line in my /boot/grub/menu.lst
. This way, everything behaves as if SELinux
support was not even compiled into the kernel.
Now, if you have started your system at least once without totally disabling SELinux
, it will have labeled all your files (this is part of the SELinux
process and is needed for it to work). The files have their label stored using the extended attributes feature of ext2/3/4 filesystems. How it works is beyond the scope of this post. I was looking for a way to get rid of all these labels, as I never have SELinux
enabled and I don’t have any reason to keep them on my filesystem.
Here’s the magic command:
1
# find / -print0 | xargs -r0 setfattr -x security.selinux 2>/dev/null
I assume here you want to delete all SELinux
labels on your whole filesystem, including all mountpoints (as I did). The 2>/dev/null
part is just to avoid polluting the console with messages telling that there’s no SELinux
label for files that were not labeled. The command above will just do nothing on those files. Note that the command won’t change any file contents, just delete the extended attribute.
And voila, a clean filesystem without SELinux
labels!