CentOS - Apr 2010 - SELinux restorecon does not work

Hi All,

I have this following issue in SELinux. I did what instruction said but the
security context has still never changed. Do I need to create local SELinux
module? I hope anyone could help me out of this. Thank you.

-------------------------------------------------------
# sealert -b
........................................
Summary:
SELinux is preventing postmaster (postgresql_t) "setattr" to ./db
(etc_t).

Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to
restore the default system file context for ./db,

restorecon -v './db'

If this does not work, there is currently no automatic way to allow this
access. Instead, you can generate a local policy module to allow this access
- see FAQ Or you can disable SELinux protection altogether. Disabling
SELinux protection is not recommended. Please file a bug report against this
package.
........................................

# ls -ldZ /etc/<apps>/db
drwx------  postgres postgres user_u:object_r:etc_t            db

# restorecon -v /etc/<apps>/db
# ls -ldZ /etc/<apps>/db
drwx------  postgres postgres user_u:object_r:etc_t            db
-------------------------------------------------------

Regards,
James
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.centos.org/pipermail/centos/attachments/20100406/11dca73d/attachment-0003.html>

On Tuesday 06 April 2010 03:24:49 James Corteciano
wrote:
>  Instead, you can generate a local policy module to allow this access
Hello James,

This doesn't seem like an incorrect labeling issue. Files under /etc, most
of
them, will have the etc_t as type.

Apparently the current policy doesn't allow the  action "seattr"
from a
process with a domain of "postgresql_t" to a file of type
"etc_t".  You need to
do what the output tells you (what I'm quoting).

Try this:

http://tinyurl.com/yd24kfw

...with somethign like "grep postgres /var/log/audit/audit.log ...the rest
of
command."

HTH,
Jorge