LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 01-08-2014, 09:38 AM   #1
ravi_nandula
Member
 
Registered: Sep 2011
Posts: 81

Rep: Reputation: Disabled
Unhappy Selinux Disabled -still having dot at the end of file permission


Hi Team,

I have CentOS 6.4 server using. I have disabled Selinux.
Even after disabling Selinux I can see dot at the end of the file permission.

Usually dot at the end of the file permission is for Selinux security.

I am not able to figure out how I can get that dot removed from the file permission.

Thanks in advance
 
Old 01-08-2014, 09:53 AM   #2
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,711

Rep: Reputation: 1279Reputation: 1279Reputation: 1279Reputation: 1279Reputation: 1279Reputation: 1279Reputation: 1279Reputation: 1279Reputation: 1279
You always will.

The "." just tells you there is no ACL applied to the file/directory. With an ACL entry the "." is replaced by a "+".

And you can't really remove it unless you pipe the output through a filter to remove it...

Last edited by jpollard; 01-08-2014 at 09:57 AM.
 
Old 01-08-2014, 09:55 AM   #3
druuna
LQ Veteran
 
Registered: Sep 2003
Posts: 10,532
Blog Entries: 7

Rep: Reputation: 2390Reputation: 2390Reputation: 2390Reputation: 2390Reputation: 2390Reputation: 2390Reputation: 2390Reputation: 2390Reputation: 2390Reputation: 2390Reputation: 2390
The dot will be visible, even if SELinux is disabled (for files that where already created).

After disabling SELinux you will not see these dots for newly created files.
 
Old 01-08-2014, 09:56 AM   #4
ravi_nandula
Member
 
Registered: Sep 2011
Posts: 81

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by jpollard View Post
You always will.

The "." just tells you there is no ACL applied to the file/directory. With an ACL entry the "." is replaced by a "+".
Thanks for prompt response.

But I don't see dot in other servers .i.e, CentOS 5.8.

Is dot common for CentOS 6.4? Can you please explain if possible.
 
Old 01-08-2014, 09:59 AM   #5
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,711

Rep: Reputation: 1279Reputation: 1279Reputation: 1279Reputation: 1279Reputation: 1279Reputation: 1279Reputation: 1279Reputation: 1279Reputation: 1279
Quote:
Originally Posted by ravi_nandula View Post
Thanks for prompt response.

But I don't see dot in other servers .i.e, CentOS 5.8.

Is dot common for CentOS 6.4? Can you please explain if possible.
Somewhere ls was updated to allow you to find out if an ACL is or is not applied to the file. It has been present ever since.

I've always seen it - just never worried about it unless it had a "+" (some root filesystems that get restored will pick up an ACL where it shouldn't... normally matching the original group permissions, but applications just check for whether an ACL exists or not, and don't bother checking the ACLs when present).

I believe the "." is common since CentOS 6, but I'm not sure when the change took effect. I've always run with SELinux enabled, and ACL supported. It just adds one more layer of security to protect the system from accidents. SELinux protects against errors in services by providing a compartmentalization that isolates a service from doing damage.

Last edited by jpollard; 01-08-2014 at 10:13 AM.
 
Old 01-08-2014, 10:04 AM   #6
druuna
LQ Veteran
 
Registered: Sep 2003
Posts: 10,532
Blog Entries: 7

Rep: Reputation: 2390Reputation: 2390Reputation: 2390Reputation: 2390Reputation: 2390Reputation: 2390Reputation: 2390Reputation: 2390Reputation: 2390Reputation: 2390Reputation: 2390
Just to make sure:

A dot signifies SELinux and a + signifies ACL. One has nothing to do with the other.
 
Old 01-08-2014, 10:09 AM   #7
ravi_nandula
Member
 
Registered: Sep 2011
Posts: 81

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by jpollard View Post
Somewhere ls was updated to allow you to find out if an ACL is or is not applied to the file. It has been present ever since.
How can I disabled/set that ls output will not show ACL is or is not applied?
 
Old 01-08-2014, 10:34 AM   #8
ravi_nandula
Member
 
Registered: Sep 2011
Posts: 81

Original Poster
Rep: Reputation: Disabled
I got it .By running below in every filesystem it removed access list with selinux

find . -print0 |xargs -0 -n 1 sudo setfattr -h -x security.selinux
 
Old 01-08-2014, 03:40 PM   #9
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,711

Rep: Reputation: 1279Reputation: 1279Reputation: 1279Reputation: 1279Reputation: 1279Reputation: 1279Reputation: 1279Reputation: 1279Reputation: 1279
You realize the first update will just put it back.

Why do you need it removed, anyway?
 
Old 10-22-2014, 08:22 PM   #10
DRWhite
LQ Newbie
 
Registered: Oct 2014
Posts: 6

Rep: Reputation: Disabled
disabling

Hi folks,

SELinux is always the first thing to go on a Linux System, as it's the one thing that causes more isues than it solves.
Is there a way to NOT install it?

I have the dots on the filesystem as well as the poster did.
My problem is that even though I have SELinux Disabled, which used to be very easy through SETUP, it's currently not working right. the file system has the dots and there are issues when trying to access things such as the Web Server on the system, because the system was installed when sELinux was installed, so they all have it active.

I have taken advice and removed and put back on the filesystem directories for the folder that contains the documents for the server, but it's not able to show them. And the only thing that it comes back to is SELinux. The worst thing to EVER be developed.

It's something that isn't needed in a server, and should not be there. It shouldn't even be on a Desktop System UNLESS it's an End User, mainly one that just got off Windows and starting on Unix for their new system. So that they can't break the system. But as long as they don't run as root, they should have no issue anyway. so SELinux is just horrid.

How do I get rid of it and everything about it from my machine so that I can actually access MY files? and allow the apache server to access it's files properly and read everything correctly?
 
Old 10-23-2014, 07:07 AM   #11
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,711

Rep: Reputation: 1279Reputation: 1279Reputation: 1279Reputation: 1279Reputation: 1279Reputation: 1279Reputation: 1279Reputation: 1279Reputation: 1279
It is needed on servers AND on workstations.

It is there to contain hacking breaches - even if the root account is breached.

The period is there because it is part of ls, and the filesystem supports MAC labels.

SELinux does not prevent you from accessing YOUR files. It is to prevent others from doing so.

For apache, running under SELinux, is running in a compartment defined and enforced by the MAC labels. If someone hacks apache, they will be prevented from accessing any file that is not within the apache compartment - so, no password files can be obtained, even if the hack achieves a root escalation. No user files can be obtained.

Now if you would read documentation on apache and SELinux, then you would know that there are some security labels the user can use to identify which files may be accessed.

1. There are a set of control flags (obtained from a "getsebool -a | grep httpd", that allow various access. Normally all of these are off.
Code:
allow_httpd_anon_write --> off
allow_httpd_mod_auth_ntlm_winbind --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_sys_script_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_connect_ftp --> off
httpd_can_connect_ldap --> off
httpd_can_connect_zabbix --> off
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_graceful_shutdown --> off
httpd_manage_ipa --> off
httpd_read_user_content --> off
httpd_run_stickshift --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_tmp_exec --> off
httpd_tty_comm --> on
httpd_unified --> off
httpd_use_cifs --> off
httpd_use_fusefs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
httpd_verify_dns --> off
Note the "httpd_enable_homedirs --> off" - this prevents apache from accessing home directories. Enable it if you want apache to be able to reach the users public directory. This does not permit apache to read data - just search for the directory. To access the directory the OWNER gets to permit it - using one of "httpd_user_content_t" (which permits read only access) or "httpd_user_rw_content_t" (which permits read write access). NO OTHER FILES CAN BE ACCESSED.

The public directory must have "httpd_user_content_t", as does any file within the directory if it is to be read. Any file created in the directory (not put there via "mv" unless mv copies it) must also have that label type. Any file (or directory if apache is to create the files) that is to be writable by apache must have the "httpd_user_rw_content_t" type. This prevents a hacked apache from writing files just anywhere...such as your .profile/.login/.cshrc/... files.

Files that belong to apache directly must have one of "httpd_sys_script_exec_t" (for read only access to CGI files), "httpd_sys_content_t" (read only files), "httpd_sys_rw_content_t" (writable files/directories).

Those labels effectively block hacks from changing your data (when read only), or from damaging files apache is not explicitly permitted to write.

These are mandatory labels that allow the system manager to control users from giving out files that they are not permitted to expose.
 
Old 02-21-2017, 07:35 AM   #12
oopbraak
LQ Newbie
 
Registered: Feb 2017
Posts: 2

Rep: Reputation: Disabled
Quote:
Originally Posted by DRWhite View Post
Hi folks,

SELinux is always the first thing to go on a Linux System, as it's the one thing that causes more isues than it solves.
This only shows that you don't know what you're doing.

Please don't spread the fact that you're unknowledgeable amongst other users.
 
Old 02-21-2017, 07:59 AM   #13
r3sistance
Senior Member
 
Registered: Mar 2004
Location: UK
Distribution: CentOS 6/7
Posts: 1,375

Rep: Reputation: 217Reputation: 217Reputation: 217
Quote:
Originally Posted by oopbraak View Post
This only shows that you don't know what you're doing.

Please don't spread the fact that you're unknowledgeable amongst other users.
showing people that you don't know what you're doing... like necroing a 2+ year old thread...
 
Old 02-21-2017, 08:09 AM   #14
rtmistler
Moderator
 
Registered: Mar 2011
Location: Sutton, MA. USA
Distribution: MINT Debian, Angstrom, SUSE, Ubuntu
Posts: 5,831
Blog Entries: 12

Rep: Reputation: 2009Reputation: 2009Reputation: 2009Reputation: 2009Reputation: 2009Reputation: 2009Reputation: 2009Reputation: 2009Reputation: 2009Reputation: 2009Reputation: 2009
Quote:
Originally Posted by oopbraak View Post
This only shows that you don't know what you're doing.

Please don't spread the fact that you're unknowledgeable amongst other users.
Hi oopbraak,

And truly welcome to LQ.

Firstly we aim to be a polite forum. Yes, it clearly does happen that people can be terse, harsh, and critical; however it's probably not best to start out exactly in this manner. The correct thing to do is to not rise to the occasion of someone else's poorly worded post or response and instead use the Report button shown on the forms.

I try to remind many that it may take 24 hours or longer for moderators to look at complaints or to get online to check the status of the forums which they look after. Weekends it clearly may take longer, and near holidays, the same result. Either case, I've seen instances such as a few users choosing to argue with each other in a thread and it continues un-watched for some lengthy period of days. The end result is that eventually one or more moderators or Jeremy will have to intervene and if people have gotten really out of hand, you end up having people get banned.

We are most definitely not this type of forum where we downvote posts or look to attack people, but instead wish to be helpful for Linux users.

Please also note that when replying to threads where there has been no activity for greater than 6 months, you are required to click again to verify that you wish to resurrect a very old thread. Usually it is not beneficial to do this, the original poster may have long since moved away from their question. A better choice if you have a similar question and not a critical comment, would be to link to the older thread with an updated question of your own. And I see that DRWhite had also done the same thing, the thread was inactive for about 9 months when they added their question. This is common, many of us have replied to old threads not realizing the non-relevance, so no harm.

On the right side of the LQ form are various links discussing how LQ works, the rules of the forums. And if you have any questions which you feel you can't find answers too using the website, you can use the Contact Us link at the bottom of the page.

Best Regards,

- RT

Last edited by rtmistler; 02-21-2017 at 08:14 AM.
 
Old 02-21-2017, 08:19 AM   #15
oopbraak
LQ Newbie
 
Registered: Feb 2017
Posts: 2

Rep: Reputation: Disabled
Quote:
Originally Posted by r3sistance View Post
showing people that you don't know what you're doing... like necroing a 2+ year old thread...
Wow, you are even worse than me! :-D

Edit: i didn't mean you RT.

Last edited by oopbraak; 02-21-2017 at 08:23 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
what means a dot after the file permission ? marozsas Linux - Newbie 12 08-14-2016 08:26 PM
[SOLVED] SELinux still disabled dcarrington Linux - Security 3 03-09-2012 08:24 AM
SELinux disabled and Redhat? johndev Linux - Newbie 5 05-19-2011 02:55 PM
How can I disabled SELinux? abefroman Linux - Kernel 3 09-17-2006 11:22 AM
getsebool: SELinux is disabled ?? dansawyer Linux - Security 4 09-14-2006 04:31 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 02:12 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration