Skip to Main Content
Forums

Database Software

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Oracle database 19c, 12c, 11c with SELinux with targeted policy in mode enforcing supported?

Ivan HerediaNov 12 2024

Hi.

I installed and configured Oracle database 19c Community Edition in RHEL 9.4.

In this server, I configured SELinux. Here the configuration

# fixfiles -F onboot
# semanage login --modify --range SystemLow --seuser user_u __default__
# semanage login --modify --range SystemLow-SystemHigh --seuser sysadm_u root
# semanage login --add --range SystemLow --seuser staff_u user
# echo "user ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALL" > /etc/sudoers.d/user
# semanage login --add --range SystemLow --seuser user_u oracle

If I add SELinux in enforcing mode. And run the script /etc/init.d/oracledb_ORCLCDB-19c start the database is started.

But, I can't run sqlplus, in /var/log/audit/audit.log there are AVC logs.

SELinux enforcing mode

[oracle@localhost root]$ sqlplus / as sysdba

SQL*Plus: Release 19.0.0.0.0 - Production on Tue Nov 12 11:29:04 2024
Version 19.3.0.0.0

Copyright (c) 1982, 2019, Oracle. All rights reserved.

Connected to an idle instance.

SQL> SHOW PDBS;
ERROR:
ORA-01034: ORACLE not available
Process ID: 0
Session ID: 0 Serial number: 0

SP2-1545: This feature requires Database availability.
SQL> SHOW PDBS;
ERROR:
ORA-01034: ORACLE not available
Process ID: 0
Session ID: 0 Serial number: 0

SP2-1545: This feature requires Database availability.
SQL> exit
Disconnected

Logs

type=AVC msg=audit(1731407526.080:170): avc: denied { associate } for pid=2086 comm="oracle" ipc_key=1135834572 scontext=staff_u:sysadm_r:sysadm_t:s0 tcontext=staff_u:system_r:initrc_t:s0 tclass=shm permissive=1
type=AVC msg=audit(1731407526.082:171): avc: denied { unix_read } for pid=2086 comm="oracle" ipc_key=1135834572 scontext=staff_u:sysadm_r:sysadm_t:s0 tcontext=staff_u:system_r:initrc_t:s0 tclass=shm permissive=1
type=AVC msg=audit(1731407526.082:171): avc: denied { getattr } for pid=2086 comm="oracle" ipc_key=1135834572 scontext=staff_u:sysadm_r:sysadm_t:s0 tcontext=staff_u:system_r:initrc_t:s0 tclass=shm permissive=1
type=AVC msg=audit(1731407526.082:172): avc: denied { unix_write } for pid=2086 comm="oracle" ipc_key=1135834572 scontext=staff_u:sysadm_r:sysadm_t:s0 tcontext=staff_u:system_r:initrc_t:s0 tclass=shm permissive=1
type=AVC msg=audit(1731407526.082:172): avc: denied { read write } for pid=2086 comm="oracle" ipc_key=1135834572 scontext=staff_u:sysadm_r:sysadm_t:s0 tcontext=staff_u:system_r:initrc_t:s0 tclass=shm permissive=1
type=AVC msg=audit(1731407588.386:177): avc: denied { unix_write } for pid=2086 comm="oracle_2086_orc" ipc_key=-1926613708 scontext=staff_u:sysadm_r:sysadm_t:s0 tcontext=staff_u:system_r:initrc_t:s0 tclass=sem permissive=1
type=AVC msg=audit(1731407588.386:177): avc: denied { read write } for pid=2086 comm="oracle_2086_orc" ipc_key=-1926613708 scontext=staff_u:sysadm_r:sysadm_t:s0 tcontext=staff_u:system_r:initrc_t:s0 tclass=sem permissive=1

SELinux permissive mode

[oracle@localhost root]$ sqlplus / as sysdba

SQL*Plus: Release 19.0.0.0.0 - Production on Tue Nov 12 11:32:06 2024
Version 19.3.0.0.0

Copyright (c) 1982, 2019, Oracle. All rights reserved.

Conectado a:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.3.0.0.0

SQL> SHOW PDBS;

CON_ID CON_NAME OPEN MODE RESTRICTED
---------- ------------------------------ ---------- ----------
2 PDB$SEED READ ONLY NO
3 ORCLPDB1 MOUNTED
SQL> ALTER PLUGGABLE DATABASE ORCLPDB1 OPEN;

Base de datos de conexion modificada.

SQL> exit

For solved it, I can create custom policies. But, the Oracle enterprise gives support with SELinux to your database 19c? And 11c, 12c versions?

Thanks.
Comments
Post Details
Added on Nov 12 2024
#oracle11c, #oracle12c, #oracle19c, #oracledatabase, #selinux
0 comments
823 views