How to remove dot permission in linux

We are going to share how to remove dot permission in linux. You might have found it annoying to trailing “dot” in the permissions in RHEL or any other linux distros. These are basically SELinux permissions leftover after disabling SELinux. SELinux context still remains associated with files regardless of SELinux is disabled.

Sample output of trailing dot.

# ls -ld  /var/EPM
drwxr-xr-x. 4 sales users 12288 Nov 17 02:37 /var/EPM

You need to make sure SELinux must be disabled before removing dot permissions in linux. You can refer to How to disable SELinux in Linux.

You can simply use the getenforce command in linux or the sestatus command in linux to get selinux current status.

# getenforce
Disabled
# sestatus
Disabled

How to remove selinux file permissions in linux

Let us review using a few samples to have a look at the SELinux permissions issue.

# ls –alt /etc/rc.d/
drwxr-xr-x. 131 root root 12288 Nov 17 02:30 ..
drwxr-xr-x.   2 root root  4096 Nov 16 14:14 rc2.d
drwxr-xr-x.   2 root root  4096 Nov 16 14:14 rc3.d
drwxr-xr-x.   2 root root  4096 Nov 16 14:14 rc4.d
drwxr-xr-x.   2 root root  4096 Nov 16 14:14 rc5.d
drwxr-xr-x.   2 root root  4096 Oct 27 01:29 init.d
drwxr-xr-x.   2 root root  4096 Oct 22 23:31 rc1.d
-rw-r--r--.   1 root root   473 Feb 18  2020 rc.local
drwxr-xr-x.  10 root root  4096 Mar 29  2019 .
drwxr-xr-x.   2 root root  4096 Mar 29  2019 rc0.d
drwxr-xr-x.   2 root root  4096 Mar 29  2019 rc6.d

Another sample command to see context using the Z option with the listing command.

# ls -Z  /etc/rc.d/
drwxr-xr-x. root root system_u:object_r:etc_t:s0       init.d
drwxr-xr-x. root root system_u:object_r:etc_t:s0       rc0.d
drwxr-xr-x. root root system_u:object_r:etc_t:s0       rc1.d
drwxr-xr-x. root root system_u:object_r:etc_t:s0       rc2.d
drwxr-xr-x. root root system_u:object_r:etc_t:s0       rc3.d
drwxr-xr-x. root root system_u:object_r:etc_t:s0       rc4.d
drwxr-xr-x. root root system_u:object_r:etc_t:s0       rc5.d
drwxr-xr-x. root root system_u:object_r:etc_t:s0       rc6.d
-rw-r--r--. root root system_u:object_r:initrc_exec_t:s0 rc.local

Another option to see the SELinux context is below.

# ls –lcontext /etc/rc.d/
drwxr-xr-x. 2 system_u:object_r:etc_t:s0 root root 4096 Oct 27 01:29 init.d
drwxr-xr-x. 2 system_u:object_r:etc_t:s0 root root 4096 Mar 29  2019 rc0.d
drwxr-xr-x. 2 system_u:object_r:etc_t:s0 root root 4096 Oct 22 23:31 rc1.d
drwxr-xr-x. 2 system_u:object_r:etc_t:s0 root root 4096 Nov 16 14:14 rc2.d
drwxr-xr-x. 2 system_u:object_r:etc_t:s0 root root 4096 Nov 16 14:14 rc3.d
drwxr-xr-x. 2 system_u:object_r:etc_t:s0 root root 4096 Nov 16 14:14 rc4.d
drwxr-xr-x. 2 system_u:object_r:etc_t:s0 root root 4096 Nov 16 14:14 rc5.d
drwxr-xr-x. 2 system_u:object_r:etc_t:s0 root root 4096 Mar 29  2019 rc6.d
-rw-r--r--. 1 system_u:object_r:initrc_exec_t:s0 root root 473 Feb 18 2020 rc.local

See all the output above all you can easily see each file and folder have trailing dots. So we have a lifesaver setfattr command in linux to recover from it and it is used for setting extended attributes of file system objects linux.

setfattr command in linux

For reference sharing the setfattr command man page. We will see it’s usage to solve our trailing dot selinux permissions on file system objects.

# man setfattr
SETFATTR(1)   File Utilities               SETFATTR(1)
NAME          setfattr-set extended attributes of filesystem objects
SYNOPSIS
setfattr [-h] -n name [-v value] pathname...
setfattr [-h] -x name pathname...
setfattr [-h] --restore=file
DESCRIPTION :The setfattr command associates a new value with an 
             extended attribute name for each specified file.
OPTIONS :
-n name, --name=name      
Specifies the name of the extended attribute to set.
-v value, --value=value   
Specifies  the  new  value of the extended attribute. There are three
methods available for encoding the value.  If the given string is 
enclosed in double quotes, the inner string is treated as text. In 
that case, backslashes and double quotes have special meanings and 
need to be escaped by a preceding backslash. 
Any control characters can be encoded as a backslash followed by 
three digits as its ASCII code in octal. If the given string begins 
with  0x  or 0X,  it expresses a hexadecimal number. If the given 
string begins with 0s or 0S, base64 encoding is expected.  
See also the --encoding option of getfattr (1).
-x name, --remove=name  
Remove the named extended attribute entirely.
-h, --no-dereference 
Do not follow symlinks.  If pathname is a symbolic link, it is not 
followed, but is instead itself the inode being modified.
--restore=file  
Restores extended attributes from file.  The file must be in the 
format generated by the getfattr command with the --dump option.
If a dash (-) is given as the file name, setfattr reads from standard
input.
--version     Print the version of setfattr and exit.
--help        Print help explaining the command line options.
-- End of command line options.  
All remaining parameters are interpreted as file names, even if they
dash character.

So now let us see how to remove SELinux permissions by some of the examples.

# setfattr -h -x security.selinux  /var/EPM
# ls -ld /var/EPM
drwxr-xr-x 4 sales users 12288 Nov 17 02:37 /var/EPM

See now trailing dot permissions gone. Basically, this is what we intended to resolve how to remove dot permission in linux post.

You can find trailing dot permissions using the find command and use setfattr to remove selinux file permissions with root user.

# find /path -print0 |xargs -0 -n 1 setfattr -h -x security.selinux
# find /path -exec setfattr -h -x security.selinux {} \;

I guess that`s related to how to remove dot permissions in linux and how to remove selinux file permissions in linux and details about the setfattr command in linux.

I hope you will find it helpful in a crunch situation. If you like our work please do subscribe to our blog to keep getting notified with the latest post solving individual technical issues in your journey of system administration and personal request to share it as much as you can in your network and help us to increase the reach of the post to the intended audience.

You may like other similar articles…