Hi All,
I have this following issue in SELinux. I did what instruction said but the security context has still never changed. Do I need to create local SELinux module? I hope anyone could help me out of this. Thank you.
------------------------------------------------------- # sealert -b ........................................ Summary: SELinux is preventing postmaster (postgresql_t) "setattr" to ./db (etc_t).
Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./db,
restorecon -v './db'
If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report against this package. ........................................
# ls -ldZ /etc/<apps>/db drwx------ postgres postgres user_u:object_r:etc_t db
# restorecon -v /etc/<apps>/db # ls -ldZ /etc/<apps>/db drwx------ postgres postgres user_u:object_r:etc_t db -------------------------------------------------------
Regards, James
On Tuesday 06 April 2010 03:24:49 James Corteciano wrote:
Instead, you can generate a local policy module to allow this access
Hello James,
This doesn't seem like an incorrect labeling issue. Files under /etc, most of them, will have the etc_t as type.
Apparently the current policy doesn't allow the action "seattr" from a process with a domain of "postgresql_t" to a file of type "etc_t". You need to do what the output tells you (what I'm quoting).
Try this:
...with somethign like "grep postgres /var/log/audit/audit.log ...the rest of command."
HTH, Jorge
-
James Corteciano -
Jorge Fábregas