How to remove SELinux extended attributes from files?

[FirebirdTN]

The short version is in the thread title.

The long version:

I have a bunch of files/folders that used to reside on a RHEL4 samba server. It died. So now I am making a new box on CentOS 6.

Everything is set up. However, being rather inexperienced in Linux I chose to disable SELinux (I know, I know....this is not an internet facing box. I will learn SELinux later). When the RHEL4 box died and I recovered the files off of it, when I copied/pasted them I got a warning that there was some extended information in the clipboard that may be lost (this was done on a windows machine after recovering the files to a usb drive). A second copy/paste gave me the same warning, but they are still there.

The CentOS 6 box is the only linux machine that resides on our network. All these files/folders were shared out via Samba for Windows machines.

There is probably no harm done if I don't get rid of them, but 1) If they aren't needed for Windows machines, it could just be one more "point of failure", so I would like to get rid of them. 2) If I ever decided to re-enable SELinux, I have no idea of the ramifications with improperly labeled files since they originated from another box.

Thank you,

-Alan

[Greg_E]

Have you tried to reset (change) the file permissions (and do it recursively) from the windows machine where you recovered them? That might wipe out any of the unix/linux style permissions in favor of the Windows style permissions.

Sorry, can't help with the Linux side.

[TrevorH]

If you're just starting out then it is FAR better to enable selinux NOW than later. The longer you leave it the harder it gets to turn it back on. Edit /etc/sysconfig/selinux and change SELINUX=disabled to SELINUX=permissive and then

Code: Select all

touch /.autorelabel
reboot

During the next reboot it will relabel all files to include the correct selinux context information. Running selinux in permissive mode allows everything but logs the things that would be denied if it was in enforcing mode. You can check what would be denied by running `aureport -a` and the list you get are the the denials that have taken place. Take the number off the right hand end of each line and plug that into `ausearch -a nnn` and you will get details about what did what and why i would have been denied.

Once in permissive mode you can use those logs to fix any problems that occur.

[FirebirdTN]

Thanks Trevor, I might give that a try. One more piece of the puzzle though is when I had my RHEL4 box running, I had one proprietary MS-DOS database application that WOULD NOT WORK on it. I could never figure it out. I now suspect it had something to do with those SELinux labels, so I want to try it again before I turn it on.

I have two other windows database applications that worked perfectly on my old RHEL box. The proprietary MS-DOS application that never worked I had to put on a proprietary NAS device, which is now almost 10 years old and currently holding all the files and databases that my old RHEL box was. So I want to get off that box asap.

At this point I might just leave it at permissive though, just to get a feel for what it *would* deny. I just have a lot on my plate right now, and its taken me a month of on and off working at it (constant interruptions of "higher priority" projects) to finally get where I am with this box. I have much to learn.

Anyway, for whatever reason when I copied the files off the USB hard drive, I never got the warning again, so "Windows" must have striped off the labels.

-Alan