Getting rid of SELinux labels

Getting rid of SELinux labels

Even if I’m using Fedora, I’m not very fond of SELinux. I find the policies to be way too complicated to customize, and it seems one just have to cope with the policies made by the distributor, and barely have any chance to adapt it. They even bundle setroubleshootd on Fedora, which will happily ask a desktop applet to pop up and try to explain the user what SELinux did just blocked. When problems with SELinux arise, the main solution seems to be “hey, just set it to permissive, and your stuff will work!”. Yay. I personally prefer the grsecurity patches over SELinux, but that’s a whole different discussion anyway.

As you may have guessed by now, one of the first things I do after installing a Fedora system is appending selinux=0 to the kernel command line in my /boot/grub/menu.lst. This way, everything behaves as if SELinux support was not even compiled into the kernel.

Now, if you have started your system at least once without totally disabling SELinux, it will have labeled all your files (this is part of the SELinux process and is needed for it to work). The files have their label stored using the extended attributes feature of ext2/3/4 filesystems. How it works is beyond the scope of this post. I was looking for a way to get rid of all these labels, as I never have SELinux enabled and I don’t have any reason to keep them on my filesystem.

Here’s the magic command:

# find / -print0 | xargs -r0 setfattr -x security.selinux 2>/dev/null

I assume here you want to delete all SELinux labels on your whole filesystem, including all mountpoints (as I did). The 2>/dev/null part is just to avoid polluting the console with messages telling that there’s no SELinux label for files that were not labeled. The command above will just do nothing on those files. Note that the command won’t change any file contents, just delete the extended attribute.

And voila, a clean filesystem without SELinux labels!

This post is licensed under CC BY 4.0 by the author.