The dot permission is the SELinux permissions that remain after SELinux is disabled. In this article, we will explain "How to remove dot in Linux permissions".
Why is there a dot (.) at the end of permission field in Linux?
Did you just encountered a dot (.
) at the end of Linux permission field of file and directory, something like below?
# ls -l /etc/ total 2240 drwxr-xr-x. 4 root root 4096 May 7 2021 acpi -rw-r--r--. 1 root root 44 Aug 16 12:47 adjtime -rw-------. 1 root root 7333 Mar 21 2017 aide.conf -rw-r--r--. 1 root root 1529 Apr 1 2020 aliases drwxr-xr-x. 2 root root 4096 Aug 16 18:26 alternatives -rw-------. 1 root root 541 Aug 9 2019 anacrontab
And you are wondering what the hell is that dot(.
) ? As we all are familiar with the permission field but never read anything about dot field.
From info '(coreutils) ls invocation'
GNU 'ls' uses a '.' character to indicate a file with an SELinux
security context, but no other alternate access method.A file with any other combination of alternate access methods is
marked with a '+' character.
So this should give you a clear idea that dot (.
) represents that the target file or directory has some SELinux security context while if you see plus (+
) sign then that particular file or directory has ACL applied.
Remove dot (.) from Linux Permission field
Now that we know the meaning of dot (.) field in permission, let us learn how to remove them:
Prerequisite - Disable SELinux
To remove point permissions on Linux, SELinux must be disabled first because as we just learned that the dot (.
) is added due to SELinux.
First, let's check the SELinux status. Run the following command in terminal:
(If SElinux Enabled)
[foc@almalinux8 ~]$ sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
[foc@almalinux8 ~]$ getenforce
Enforcing
(If SElinux Disabled)
[foc@almalinux8 ~]$ sestatus SELinux status: disabled [foc@almalinux8 ~]$ getenforce Disabled
If SElinux is enabled, then you can disable it by changing the status in /etc/selinux/config
file:
[foc@almalinux8 ~]$ sudo nano /etc/selinux/config
The following lines are updated in this file:
SELINUX=disabled
Then reboot the server to activate the changes:
[foc@almalinux8 ~]$ sudo reboot
Finally, you can see that the active Selinux is disable.
[foc@almalinux8 ~]$ getenforce Disabled [foc@almalinux8 ~]$ sestatus SELinux status: disabled
Verify Linux Permissions field
As you can see we have disabled SELinux but still the dot (.) field is still there and is not removed yet. This would mean that some security context from SELinux is still applied to these files.
[foc@almalinux8 ~]$ ls -ld /etc/yum.repos.d/* -rw-r--r--. 1 root root 1019 Jun 22 13:31 /etc/yum.repos.d/almalinux-appstream.repo -rw-r--r--. 1 root root 983 Jun 22 13:31 /etc/yum.repos.d/almalinux-baseos.repo -rw-r--r--. 1 root root 947 Jun 22 13:31 /etc/yum.repos.d/almalinux-crb.repo -rw-r--r--. 1 root root 983 Jun 22 13:31 /etc/yum.repos.d/almalinux-extras.repo -rw-r--r--. 1 root root 1103 Jun 22 13:31 /etc/yum.repos.d/almalinux-highavailability.repo -rw-r--r--. 1 root root 947 Jun 22 13:31 /etc/yum.repos.d/almalinux-nfv.repo
We can either use ls --context
or ls -Z
to list the files along with context data from SELinux. As you can see, the files have some security context assigned due to which we see a dot(.
) in the permission field:
[foc@almalinux8 ~]$ ls -Z /etc/yum.repos.d/* system_u:object_r:system_conf_t:s0 /etc/yum.repos.d/almalinux-appstream.repo system_u:object_r:system_conf_t:s0 /etc/yum.repos.d/almalinux-baseos.repo system_u:object_r:system_conf_t:s0 /etc/yum.repos.d/almalinux-crb.repo system_u:object_r:system_conf_t:s0 /etc/yum.repos.d/almalinux-extras.repo system_u:object_r:system_conf_t:s0 /etc/yum.repos.d/almalinux-highavailability.repo system_u:object_r:system_conf_t:s0 /etc/yum.repos.d/almalinux-nfv.repo
Remove Dot in Linux Permissions
We will use the setfattr command to remove the dot field in the permissions. This command used to set extended attributes of filesystem objects in Linux. Let's remove the permission by running the following command in the terminal:
[foc@almalinux8 ~]$ setfattr -h -x security.selinux /etc/yum.repos.d/*
Here,
-x name
,--remove=name
Remove the named extended attribute entirely.-h
,--no-dereference
Do not follow symlinks. If pathname is a symbolic link, it is not followed, but is instead itself the inode being modified.
Then let's list the permissions again and see that dot(.
) has been successfully removed:
[foc@almalinux8 ~]$ ls -ld /etc/yum.repos.d/* -rw-r--r-- 1 root root 1019 Jun 22 13:31 /etc/yum.repos.d/almalinux-appstream.repo -rw-r--r-- 1 root root 983 Jun 22 13:31 /etc/yum.repos.d/almalinux-baseos.repo -rw-r--r-- 1 root root 947 Jun 22 13:31 /etc/yum.repos.d/almalinux-crb.repo -rw-r--r-- 1 root root 983 Jun 22 13:31 /etc/yum.repos.d/almalinux-extras.repo -rw-r--r-- 1 root root 1103 Jun 22 13:31 /etc/yum.repos.d/almalinux-highavailability.repo -rw-r--r-- 1 root root 947 Jun 22 13:31 /etc/yum.repos.d/almalinux-nfv.repo
Now when we list again using the -Z parameter, then we see question (?
) mark appears instead of permissions which means that no security context found:
[foc@almalinux8 ~]$ ls -Z /etc/yum.repos.d/* ? /etc/yum.repos.d/almalinux-appstream.repo ? /etc/yum.repos.d/almalinux-baseos.repo ? /etc/yum.repos.d/almalinux-crb.repo ? /etc/yum.repos.d/almalinux-extras.repo ? /etc/yum.repos.d/almalinux-highavailability.repo ? /etc/yum.repos.d/almalinux-nfv.repo
Recursively remove dot (.) from Linux Permission
We showed how to remove dot permissions from files under a directory. But removing it from the whole system in this way is a difficult option. We will use the find command to delete the dot permissions in bulk.
For example, under /var/log
, the permissions are active:
[foc@almalinux8 ~]$ ls -ld /var/log/* drwxr-xr-x. 2 root root 4096 Aug 11 17:10 /var/log/anaconda drwx------. 2 root root 23 Aug 11 17:11 /var/log/audit -rw-------. 1 root root 0 Sep 6 07:44 /var/log/boot.log -rw-------. 1 root root 121192 Aug 13 00:00 /var/log/boot.log-20220813 -rw-------. 1 root root 15055 Aug 15 22:14 /var/log/boot.log-20220815 -rw-------. 1 root root 2213 Aug 16 00:00 /var/log/boot.log-20220816 -rw-------. 1 root root 14479 Sep 5 09:26 /var/log/boot.log-20220905 -rw------- 1 root root 100042 Sep 6 07:44 /var/log/boot.log-20220906
Then we run the following command, which will find the ones under this directory and remove the permissions:
[foc@almalinux8 ~]$ sudo find /var/log/ -type d,f -exec setfattr -x security.selinux {} \;
After the find command, you can run the command by typing the directory whose permission you want to remove. The /var/log directory permissions are as follows:
[foc@almalinux8 ~]$ ls -ld /var/log/* drwxr-xr-x 2 root root 4096 Aug 11 17:10 /var/log/anaconda drwx------ 2 root root 23 Aug 11 17:11 /var/log/audit -rw------- 1 root root 0 Sep 6 07:44 /var/log/boot.log -rw------- 1 root root 121192 Aug 13 00:00 /var/log/boot.log-20220813 -rw------- 1 root root 15055 Aug 15 22:14 /var/log/boot.log-20220815 -rw------- 1 root root 2213 Aug 16 00:00 /var/log/boot.log-20220816 -rw------- 1 root root 14479 Sep 5 09:26 /var/log/boot.log-20220905 -rw------- 1 root root 100042 Sep 6 07:44 /var/log/boot.log-20220906
Summary
For more information about Setfattr, you can visit the man page. Or you can view the man page by running the following command in terminal:
[foc@almalinux8 ~]$ man setfattr
NAME
setfattr - set extended attributes of filesystem objects
SYNOPSIS
setfattr [-h] -n name [-v value] pathname...
setfattr [-h] -x name pathname...
setfattr [-h] --restore=file
-x name, --remove=name
Remove the named extended attribute entirely.
-h, --no-dereference
Do not follow symlinks. If pathname is a symbolic link, it is not followed, but is instead itself the
inode being modified.
References
unix.stackexchange.com - How to recursively remove all SELinux contexts?