Selinux Disabled -still having dot at the end of file permission
Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
But I don't see dot in other servers .i.e, CentOS 5.8.
Is dot common for CentOS 6.4? Can you please explain if possible.
Somewhere ls was updated to allow you to find out if an ACL is or is not applied to the file. It has been present ever since.
I've always seen it - just never worried about it unless it had a "+" (some root filesystems that get restored will pick up an ACL where it shouldn't... normally matching the original group permissions, but applications just check for whether an ACL exists or not, and don't bother checking the ACLs when present).
I believe the "." is common since CentOS 6, but I'm not sure when the change took effect. I've always run with SELinux enabled, and ACL supported. It just adds one more layer of security to protect the system from accidents. SELinux protects against errors in services by providing a compartmentalization that isolates a service from doing damage.
SELinux is always the first thing to go on a Linux System, as it's the one thing that causes more isues than it solves.
Is there a way to NOT install it?
I have the dots on the filesystem as well as the poster did.
My problem is that even though I have SELinux Disabled, which used to be very easy through SETUP, it's currently not working right. the file system has the dots and there are issues when trying to access things such as the Web Server on the system, because the system was installed when sELinux was installed, so they all have it active.
I have taken advice and removed and put back on the filesystem directories for the folder that contains the documents for the server, but it's not able to show them. And the only thing that it comes back to is SELinux. The worst thing to EVER be developed.
It's something that isn't needed in a server, and should not be there. It shouldn't even be on a Desktop System UNLESS it's an End User, mainly one that just got off Windows and starting on Unix for their new system. So that they can't break the system. But as long as they don't run as root, they should have no issue anyway. so SELinux is just horrid.
How do I get rid of it and everything about it from my machine so that I can actually access MY files? and allow the apache server to access it's files properly and read everything correctly?
It is there to contain hacking breaches - even if the root account is breached.
The period is there because it is part of ls, and the filesystem supports MAC labels.
SELinux does not prevent you from accessing YOUR files. It is to prevent others from doing so.
For apache, running under SELinux, is running in a compartment defined and enforced by the MAC labels. If someone hacks apache, they will be prevented from accessing any file that is not within the apache compartment - so, no password files can be obtained, even if the hack achieves a root escalation. No user files can be obtained.
Now if you would read documentation on apache and SELinux, then you would know that there are some security labels the user can use to identify which files may be accessed.
1. There are a set of control flags (obtained from a "getsebool -a | grep httpd", that allow various access. Normally all of these are off.
allow_httpd_anon_write --> off
allow_httpd_mod_auth_ntlm_winbind --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_sys_script_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_connect_ftp --> off
httpd_can_connect_ldap --> off
httpd_can_connect_zabbix --> off
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_graceful_shutdown --> off
httpd_manage_ipa --> off
httpd_read_user_content --> off
httpd_run_stickshift --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_tmp_exec --> off
httpd_tty_comm --> on
httpd_unified --> off
httpd_use_cifs --> off
httpd_use_fusefs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
httpd_verify_dns --> off
Note the "httpd_enable_homedirs --> off" - this prevents apache from accessing home directories. Enable it if you want apache to be able to reach the users public directory. This does not permit apache to read data - just search for the directory. To access the directory the OWNER gets to permit it - using one of "httpd_user_content_t" (which permits read only access) or "httpd_user_rw_content_t" (which permits read write access). NO OTHER FILES CAN BE ACCESSED.
The public directory must have "httpd_user_content_t", as does any file within the directory if it is to be read. Any file created in the directory (not put there via "mv" unless mv copies it) must also have that label type. Any file (or directory if apache is to create the files) that is to be writable by apache must have the "httpd_user_rw_content_t" type. This prevents a hacked apache from writing files just anywhere...such as your .profile/.login/.cshrc/... files.
Files that belong to apache directly must have one of "httpd_sys_script_exec_t" (for read only access to CGI files), "httpd_sys_content_t" (read only files), "httpd_sys_rw_content_t" (writable files/directories).
Those labels effectively block hacks from changing your data (when read only), or from damaging files apache is not explicitly permitted to write.
These are mandatory labels that allow the system manager to control users from giving out files that they are not permitted to expose.
This only shows that you don't know what you're doing.
Please don't spread the fact that you're unknowledgeable amongst other users.
And truly welcome to LQ.
Firstly we aim to be a polite forum. Yes, it clearly does happen that people can be terse, harsh, and critical; however it's probably not best to start out exactly in this manner. The correct thing to do is to not rise to the occasion of someone else's poorly worded post or response and instead use the Report button shown on the forms.
I try to remind many that it may take 24 hours or longer for moderators to look at complaints or to get online to check the status of the forums which they look after. Weekends it clearly may take longer, and near holidays, the same result. Either case, I've seen instances such as a few users choosing to argue with each other in a thread and it continues un-watched for some lengthy period of days. The end result is that eventually one or more moderators or Jeremy will have to intervene and if people have gotten really out of hand, you end up having people get banned.
We are most definitely not this type of forum where we downvote posts or look to attack people, but instead wish to be helpful for Linux users.
Please also note that when replying to threads where there has been no activity for greater than 6 months, you are required to click again to verify that you wish to resurrect a very old thread. Usually it is not beneficial to do this, the original poster may have long since moved away from their question. A better choice if you have a similar question and not a critical comment, would be to link to the older thread with an updated question of your own. And I see that DRWhite had also done the same thing, the thread was inactive for about 9 months when they added their question. This is common, many of us have replied to old threads not realizing the non-relevance, so no harm.
On the right side of the LQ form are various links discussing how LQ works, the rules of the forums. And if you have any questions which you feel you can't find answers too using the website, you can use the Contact Us link at the bottom of the page.