Even if I’m using Fedora, I’m not very fond of
SELinux. I find the policies to be way too complicated to customize, and it seems one just have to cope with the policies made by the distributor, and barely have any chance to adapt it. They even bundle
setroubleshootd on Fedora, which will happily ask a desktop applet to pop up and try to explain the user what
SELinux did just blocked. When problems with
SELinux arise, the main solution seems to be “hey, just set it to permissive, and your stuff will work!”. Yay. I personally prefer the
grsecurity patches over
SELinux, but that’s a whole different discussion anyway.
As you may have guessed by now, one of the first things I do after installing a Fedora system is appending
selinux=0 to the kernel command line in my
/boot/grub/menu.lst. This way, everything behaves as if
SELinux support was not even compiled into the kernel.
Now, if you have started your system at least once without totally disabling
SELinux, it will have labeled all your files (this is part of the
SELinux process and is needed for it to work). The files have their label stored using the extended attributes feature of ext2/3/4 filesystems. How it works is beyond the scope of this post. I was looking for a way to get rid of all these labels, as I never have
SELinux enabled and I don’t have any reason to keep them on my filesystem.
Here’s the magic command:
1 # find / -print0 | xargs -r0 setfattr -x security.selinux 2>/dev/null
I assume here you want to delete all
SELinux labels on your whole filesystem, including all mountpoints (as I did). The
2>/dev/null part is just to avoid polluting the console with messages telling that there’s no
SELinux label for files that were not labeled. The command above will just do nothing on those files. Note that the command won’t change any file contents, just delete the extended attribute.
And voila, a clean filesystem without