Remove dot(.) in Linux Permissions the RIGHT way!

The dot permission is the SELinux permissions that remain after SELinux is disabled. In this article, we will explain "How to remove dot in Linux permissions".

 

Why is there a dot (.) at the end of permission field in Linux?

Did you just encountered a dot (.) at the end of Linux permission field of file and directory, something like below?

Advertisement
# ls -l /etc/
total 2240
drwxr-xr-x.  4 root root     4096 May  7  2021 acpi
-rw-r--r--.  1 root root       44 Aug 16 12:47 adjtime
-rw-------.  1 root root     7333 Mar 21  2017 aide.conf
-rw-r--r--.  1 root root     1529 Apr  1  2020 aliases
drwxr-xr-x.  2 root root     4096 Aug 16 18:26 alternatives
-rw-------.  1 root root      541 Aug  9  2019 anacrontab

And you are wondering what the hell is that dot(.) ? As we all are familiar with the permission field but never read anything about dot field.

From info '(coreutils) ls invocation'

GNU 'ls' uses a '.' character to indicate a file with an SELinux
security context, but no other alternate access method.

A file with any other combination of alternate access methods is
marked with a '+' character.

So this should give you a clear idea that dot (.) represents that the target file or directory has some SELinux security context while if you see plus (+) sign then that particular file or directory has ACL applied.

 

Remove dot (.) from Linux Permission field

Now that we know the meaning of dot (.) field in permission, let us learn how to remove them:

 

Prerequisite - Disable SELinux

To remove point permissions on Linux, SELinux must be disabled first because as we just learned that the dot (.) is added due to SELinux.

First, let's check the SELinux status. Run the following command in terminal:

Advertisement

(If SElinux Enabled)

[foc@almalinux8 ~]$ sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
[foc@almalinux8 ~]$ getenforce 
Enforcing

(If SElinux Disabled)

[foc@almalinux8 ~]$ sestatus
SELinux status: disabled

[foc@almalinux8 ~]$ getenforce
Disabled

If SElinux is enabled, then you can disable it by changing the status in /etc/selinux/config file:

[foc@almalinux8 ~]$ sudo nano /etc/selinux/config

The following lines are updated in this file:

SELINUX=disabled

Then reboot the server to activate the changes:

[foc@almalinux8 ~]$ sudo reboot

Finally, you can see that the active Selinux is disable.

[foc@almalinux8 ~]$ getenforce
Disabled

[foc@almalinux8 ~]$ sestatus
SELinux status: disabled

 

Verify Linux Permissions field

As you can see we have disabled SELinux but still the dot (.) field is still there and is not removed yet. This would mean that some security context from SELinux is still applied to these files.

[foc@almalinux8 ~]$ ls -ld /etc/yum.repos.d/*
-rw-r--r--. 1 root root 1019 Jun 22 13:31 /etc/yum.repos.d/almalinux-appstream.repo
-rw-r--r--. 1 root root  983 Jun 22 13:31 /etc/yum.repos.d/almalinux-baseos.repo
-rw-r--r--. 1 root root  947 Jun 22 13:31 /etc/yum.repos.d/almalinux-crb.repo
-rw-r--r--. 1 root root  983 Jun 22 13:31 /etc/yum.repos.d/almalinux-extras.repo
-rw-r--r--. 1 root root 1103 Jun 22 13:31 /etc/yum.repos.d/almalinux-highavailability.repo
-rw-r--r--. 1 root root  947 Jun 22 13:31 /etc/yum.repos.d/almalinux-nfv.repo

We can either use ls --context or ls -Z to list the files along with context data from SELinux. As you can see, the files have some security context assigned due to which we see a dot(.) in the permission field:

[foc@almalinux8 ~]$ ls -Z /etc/yum.repos.d/*
system_u:object_r:system_conf_t:s0 /etc/yum.repos.d/almalinux-appstream.repo
system_u:object_r:system_conf_t:s0 /etc/yum.repos.d/almalinux-baseos.repo
system_u:object_r:system_conf_t:s0 /etc/yum.repos.d/almalinux-crb.repo
system_u:object_r:system_conf_t:s0 /etc/yum.repos.d/almalinux-extras.repo
system_u:object_r:system_conf_t:s0 /etc/yum.repos.d/almalinux-highavailability.repo
system_u:object_r:system_conf_t:s0 /etc/yum.repos.d/almalinux-nfv.repo

 

Remove Dot in Linux Permissions

We will use the setfattr command to remove the dot field in the permissions. This command used to set extended attributes of filesystem objects in Linux. Let's remove the permission by running the following command in the terminal:

[foc@almalinux8 ~]$ setfattr -h -x security.selinux /etc/yum.repos.d/*

Here,

  • -x name, --remove=name Remove the named extended attribute entirely.
  • -h, --no-dereference Do not follow symlinks. If pathname is a symbolic link, it is not followed, but is instead itself the inode being modified.

Then let's list the permissions again and see that dot(.) has been successfully removed:

[foc@almalinux8 ~]$ ls -ld /etc/yum.repos.d/*
-rw-r--r-- 1 root root 1019 Jun 22 13:31 /etc/yum.repos.d/almalinux-appstream.repo
-rw-r--r-- 1 root root  983 Jun 22 13:31 /etc/yum.repos.d/almalinux-baseos.repo
-rw-r--r-- 1 root root  947 Jun 22 13:31 /etc/yum.repos.d/almalinux-crb.repo
-rw-r--r-- 1 root root  983 Jun 22 13:31 /etc/yum.repos.d/almalinux-extras.repo
-rw-r--r-- 1 root root 1103 Jun 22 13:31 /etc/yum.repos.d/almalinux-highavailability.repo
-rw-r--r-- 1 root root  947 Jun 22 13:31 /etc/yum.repos.d/almalinux-nfv.repo

Now when we list again using the -Z parameter, then we see question (?) mark appears instead of permissions which means that no security context found:

Advertisement
[foc@almalinux8 ~]$ ls -Z /etc/yum.repos.d/*
? /etc/yum.repos.d/almalinux-appstream.repo
? /etc/yum.repos.d/almalinux-baseos.repo
? /etc/yum.repos.d/almalinux-crb.repo
? /etc/yum.repos.d/almalinux-extras.repo
? /etc/yum.repos.d/almalinux-highavailability.repo
? /etc/yum.repos.d/almalinux-nfv.repo

 

Recursively remove dot (.) from Linux Permission

We showed how to remove dot permissions from files under a directory. But removing it from the whole system in this way is a difficult option. We will use the find command to delete the dot permissions in bulk.

For example, under /var/log, the permissions are active:

[foc@almalinux8 ~]$ ls -ld /var/log/*
drwxr-xr-x. 2 root   root      4096 Aug 11 17:10 /var/log/anaconda
drwx------. 2 root   root        23 Aug 11 17:11 /var/log/audit
-rw-------. 1 root   root         0 Sep  6 07:44 /var/log/boot.log
-rw-------. 1 root   root    121192 Aug 13 00:00 /var/log/boot.log-20220813
-rw-------. 1 root   root     15055 Aug 15 22:14 /var/log/boot.log-20220815
-rw-------. 1 root   root      2213 Aug 16 00:00 /var/log/boot.log-20220816
-rw-------. 1 root   root     14479 Sep  5 09:26 /var/log/boot.log-20220905
-rw-------  1 root   root    100042 Sep  6 07:44 /var/log/boot.log-20220906

Then we run the following command, which will find the ones under this directory and remove the permissions:

[foc@almalinux8 ~]$ sudo find /var/log/ -type d,f -exec setfattr -x security.selinux {} \;

After the find command, you can run the command by typing the directory whose permission you want to remove.  The /var/log directory permissions are as follows:

[foc@almalinux8 ~]$ ls -ld /var/log/*
drwxr-xr-x  2 root   root      4096 Aug 11 17:10 /var/log/anaconda
drwx------  2 root   root        23 Aug 11 17:11 /var/log/audit
-rw-------  1 root   root         0 Sep  6 07:44 /var/log/boot.log
-rw-------  1 root   root    121192 Aug 13 00:00 /var/log/boot.log-20220813
-rw-------  1 root   root     15055 Aug 15 22:14 /var/log/boot.log-20220815
-rw-------  1 root   root      2213 Aug 16 00:00 /var/log/boot.log-20220816
-rw-------  1 root   root     14479 Sep  5 09:26 /var/log/boot.log-20220905
-rw-------  1 root   root    100042 Sep  6 07:44 /var/log/boot.log-20220906

 

Summary

For more information about Setfattr, you can visit the man page. Or you can view the man page by running the following command in terminal:

[foc@almalinux8 ~]$ man setfattr
NAME
       setfattr - set extended attributes of filesystem objects

SYNOPSIS
       setfattr [-h] -n name [-v value] pathname...
       setfattr [-h] -x name pathname...
       setfattr [-h] --restore=file

 -x name, --remove=name
Remove the named extended attribute entirely.
 -h, --no-dereference
Do not follow symlinks. If pathname is a symbolic link, it is not followed, but is instead itself the
inode being modified.

 

References

unix.stackexchange.com - How to recursively remove all SELinux contexts? 

Advertisement

 

Didn't find what you were looking for? Perform a quick search across GoLinuxCloud

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can either use the comments section or contact me form.

Thank You for your support!!

Leave a Comment

X