|
Getting your Trinity Audio player ready... |
We are going to share how to remove dot permission in linux. You might have found it annoying to trailing “dot” in the permissions in RHEL or any other linux distros. These are basically SELinux permissions leftover after disabling SELinux. SELinux context still remains associated with files regardless of SELinux is disabled.
Sample output of trailing dot.
# ls -ld /var/EPM drwxr-xr-x. 4 sales users 12288 Nov 17 02:37 /var/EPM
You need to make sure SELinux must be disabled before removing dot permissions in linux. You can refer to How to disable SELinux in Linux.
You can simply use the getenforce command in linux or the sestatus command in linux to get selinux current status.
# getenforce Disabled # sestatus Disabled
How to remove selinux file permissions in linux
Let us review using a few samples to have a look at the SELinux permissions issue.
# ls –alt /etc/rc.d/ drwxr-xr-x. 131 root root 12288 Nov 17 02:30 .. drwxr-xr-x. 2 root root 4096 Nov 16 14:14 rc2.d drwxr-xr-x. 2 root root 4096 Nov 16 14:14 rc3.d drwxr-xr-x. 2 root root 4096 Nov 16 14:14 rc4.d drwxr-xr-x. 2 root root 4096 Nov 16 14:14 rc5.d drwxr-xr-x. 2 root root 4096 Oct 27 01:29 init.d drwxr-xr-x. 2 root root 4096 Oct 22 23:31 rc1.d -rw-r--r--. 1 root root 473 Feb 18 2020 rc.local drwxr-xr-x. 10 root root 4096 Mar 29 2019 . drwxr-xr-x. 2 root root 4096 Mar 29 2019 rc0.d drwxr-xr-x. 2 root root 4096 Mar 29 2019 rc6.d
Another sample command to see context using the Z option with the listing command.
# ls -Z /etc/rc.d/ drwxr-xr-x. root root system_u:object_r:etc_t:s0 init.d drwxr-xr-x. root root system_u:object_r:etc_t:s0 rc0.d drwxr-xr-x. root root system_u:object_r:etc_t:s0 rc1.d drwxr-xr-x. root root system_u:object_r:etc_t:s0 rc2.d drwxr-xr-x. root root system_u:object_r:etc_t:s0 rc3.d drwxr-xr-x. root root system_u:object_r:etc_t:s0 rc4.d drwxr-xr-x. root root system_u:object_r:etc_t:s0 rc5.d drwxr-xr-x. root root system_u:object_r:etc_t:s0 rc6.d -rw-r--r--. root root system_u:object_r:initrc_exec_t:s0 rc.local
Another option to see the SELinux context is below.
# ls –lcontext /etc/rc.d/ drwxr-xr-x. 2 system_u:object_r:etc_t:s0 root root 4096 Oct 27 01:29 init.d drwxr-xr-x. 2 system_u:object_r:etc_t:s0 root root 4096 Mar 29 2019 rc0.d drwxr-xr-x. 2 system_u:object_r:etc_t:s0 root root 4096 Oct 22 23:31 rc1.d drwxr-xr-x. 2 system_u:object_r:etc_t:s0 root root 4096 Nov 16 14:14 rc2.d drwxr-xr-x. 2 system_u:object_r:etc_t:s0 root root 4096 Nov 16 14:14 rc3.d drwxr-xr-x. 2 system_u:object_r:etc_t:s0 root root 4096 Nov 16 14:14 rc4.d drwxr-xr-x. 2 system_u:object_r:etc_t:s0 root root 4096 Nov 16 14:14 rc5.d drwxr-xr-x. 2 system_u:object_r:etc_t:s0 root root 4096 Mar 29 2019 rc6.d -rw-r--r--. 1 system_u:object_r:initrc_exec_t:s0 root root 473 Feb 18 2020 rc.local
See all the output above all you can easily see each file and folder have trailing dots. So we have a lifesaver setfattr command in linux to recover from it and it is used for setting extended attributes of file system objects linux.
setfattr command in linux
For reference sharing the setfattr command man page. We will see it’s usage to solve our trailing dot selinux permissions on file system objects.
# man setfattr SETFATTR(1) File Utilities SETFATTR(1) NAME setfattr-set extended attributes of filesystem objects SYNOPSIS setfattr [-h] -n name [-v value] pathname... setfattr [-h] -x name pathname... setfattr [-h] --restore=file DESCRIPTION :The setfattr command associates a new value with an extended attribute name for each specified file. OPTIONS : -n name, --name=name Specifies the name of the extended attribute to set. -v value, --value=value Specifies the new value of the extended attribute. There are three methods available for encoding the value. If the given string is enclosed in double quotes, the inner string is treated as text. In that case, backslashes and double quotes have special meanings and need to be escaped by a preceding backslash. Any control characters can be encoded as a backslash followed by three digits as its ASCII code in octal. If the given string begins with 0x or 0X, it expresses a hexadecimal number. If the given string begins with 0s or 0S, base64 encoding is expected. See also the --encoding option of getfattr (1). -x name, --remove=name Remove the named extended attribute entirely. -h, --no-dereference Do not follow symlinks. If pathname is a symbolic link, it is not followed, but is instead itself the inode being modified. --restore=file Restores extended attributes from file. The file must be in the format generated by the getfattr command with the --dump option. If a dash (-) is given as the file name, setfattr reads from standard input. --version Print the version of setfattr and exit. --help Print help explaining the command line options. -- End of command line options. All remaining parameters are interpreted as file names, even if they dash character.
So now let us see how to remove SELinux permissions by some of the examples.
# setfattr -h -x security.selinux /var/EPM # ls -ld /var/EPM drwxr-xr-x 4 sales users 12288 Nov 17 02:37 /var/EPM
See now trailing dot permissions gone. Basically, this is what we intended to resolve how to remove dot permission in linux post.
You can find trailing dot permissions using the find command and use setfattr to remove selinux file permissions with root user.
# find /path -print0 |xargs -0 -n 1 setfattr -h -x security.selinux # find /path -exec setfattr -h -x security.selinux {} \;
I guess that`s related to how to remove dot permissions in linux and how to remove selinux file permissions in linux and details about the setfattr command in linux.
I hope you will find it helpful in a crunch situation. If you like our work please do subscribe to our blog to keep getting notified with the latest post solving individual technical issues in your journey of system administration and personal request to share it as much as you can in your network and help us to increase the reach of the post to the intended audience.
You may like other similar articles…
