How to recursively remove all SELinux contexts?

Question

I am trying to make my production environment equivalent to my staging environment. On production, SELinux contexts were applied. If I list the files in a directory, I see the dot at the end of the permission string, like...

drwxrwxr-x.

How can I recursively remove all contexts? I have disabled SELinux at /etc/selinux/config, but when I reboot, the contexts still are visible when I list the files in a directory.

Try this touch /.autorelabel && reboot – Mark Stewart Feb 13 '20 at 17:26 — Mark Stewart, Feb 13 '20 at 17:26
That didn't work. I still see the dots. – arnoldbird Feb 13 '20 at 18:00 — arnoldbird, Feb 13 '20 at 18:00

score 3 · Answer 1 · edited Dec 16 '22 at 16:48

3

SELinux file contexts are stored in filesystem extended attributes and they can be removed with sefattr -x security.selinux [file].

To recursively apply the command you could use find, as setfattr doesn't have recursive option. For example

find . -type d,f -exec setfattr -x security.selinux {} \;

edited Dec 16 '22 at 16:48

Community

1

answered Feb 13 '20 at 18:47

sebasth

14,872

I get this error: "Arguments to -type should contain only one letter". So I tried doing the command with the type set to d, and then did it again with type set to f. This didn't work, though. I still see the dots when I list files. – arnoldbird Feb 13 '20 at 18:54
Are you certain SELinux is disabled (requires reboot before change is applied, status can be queried with sestatus)? Are there any special mount options applied? Is it a local filesystem? – sebasth Feb 13 '20 at 19:06
The sestatus command shows it's disabled. I don't know if there are any special mount options. It's a remote host. – arnoldbird Feb 13 '20 at 20:10

score 1 · Answer 2 · edited Jul 08 '22 at 18:22

MAKE SURE SELINUX IS DISABLED FIRST

5.4.2. DISABLING SELINUX

When SELinux is disabled

SELinux policy is not loaded at all. It is not enforced and AVC messages are not logged. Therefore, all benefits of running SELinux listed in Section 2.1, “Benefits of running SELinux” are lost.

Important

Red Hat strongly recommends to use permissive mode instead of permanently disabling SELinux. See Section 5.4.1.2, “Permissive Mode” for more information about permissive mode. To permanently disable SELinux, follow the procedure below:

Procedure 5.4. Disabling SELinux

Configure SELINUX=disabled in the /etc/selinux/config file

SELINUXTYPE=targeted

Reboot your system. After reboot, confirm that the getenforce command returns Disabled:

$ getenforce

Disabled

HOW TO REMOVE SELINUX CONTEXT FROM FILES

The following command will remove the "dots" (will remove the SELinux context). This will remove all the SELinux context from all files and directories in /home:

$find /home -exec sudo setfattr -h -x security.selinux {} \;

BEFORE (“dot” present)

$ ls -lrt  /  |grep home

drwxr-xr-x. 22 root root 4.0K Sep 9 16:25 /home

AFTER ("dot" removed)

$ ls -lrt  /  |grep home

drwxr-xr-x 22 root root 4.0K Sep 9 16:26 /home

References

How to Remove SELinux Context from Files.