Skip to Main Content

Database Software

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Interested in getting your voice heard by members of the Developer Marketing team at Oracle? Check out this post for AppDev or this post for AI focus group information.

Oracle database 19c, 12c, 11c with SELinux with targeted policy in mode enforcing supported?

Ivan HerediaNov 12 2024

Hi.

I installed and configured Oracle database 19c Community Edition in RHEL 9.4.

In this server, I configured SELinux. Here the configuration

# fixfiles -F onboot
# semanage login --modify --range SystemLow --seuser user_u __default__
# semanage login --modify --range SystemLow-SystemHigh --seuser sysadm_u root
# semanage login --add --range SystemLow --seuser staff_u user
# echo "user ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALL" > /etc/sudoers.d/user
# semanage login --add --range SystemLow --seuser user_u oracle

If I add SELinux in enforcing mode. And run the script /etc/init.d/oracledb_ORCLCDB-19c start the database is started.

But, I can't run sqlplus, in /var/log/audit/audit.log there are AVC logs.

SELinux enforcing mode

[oracle@localhost root]$ sqlplus / as sysdba

SQL*Plus: Release 19.0.0.0.0 - Production on Tue Nov 12 11:29:04 2024
Version 19.3.0.0.0

Copyright (c) 1982, 2019, Oracle. All rights reserved.

Connected to an idle instance.

SQL> SHOW PDBS;
ERROR:
ORA-01034: ORACLE not available
Process ID: 0
Session ID: 0 Serial number: 0

SP2-1545: This feature requires Database availability.
SQL> SHOW PDBS;
ERROR:
ORA-01034: ORACLE not available
Process ID: 0
Session ID: 0 Serial number: 0

SP2-1545: This feature requires Database availability.
SQL> exit
Disconnected

Logs

type=AVC msg=audit(1731407526.080:170): avc: denied { associate } for pid=2086 comm="oracle" ipc_key=1135834572 scontext=staff_u:sysadm_r:sysadm_t:s0 tcontext=staff_u:system_r:initrc_t:s0 tclass=shm permissive=1
type=AVC msg=audit(1731407526.082:171): avc: denied { unix_read } for pid=2086 comm="oracle" ipc_key=1135834572 scontext=staff_u:sysadm_r:sysadm_t:s0 tcontext=staff_u:system_r:initrc_t:s0 tclass=shm permissive=1
type=AVC msg=audit(1731407526.082:171): avc: denied { getattr } for pid=2086 comm="oracle" ipc_key=1135834572 scontext=staff_u:sysadm_r:sysadm_t:s0 tcontext=staff_u:system_r:initrc_t:s0 tclass=shm permissive=1
type=AVC msg=audit(1731407526.082:172): avc: denied { unix_write } for pid=2086 comm="oracle" ipc_key=1135834572 scontext=staff_u:sysadm_r:sysadm_t:s0 tcontext=staff_u:system_r:initrc_t:s0 tclass=shm permissive=1
type=AVC msg=audit(1731407526.082:172): avc: denied { read write } for pid=2086 comm="oracle" ipc_key=1135834572 scontext=staff_u:sysadm_r:sysadm_t:s0 tcontext=staff_u:system_r:initrc_t:s0 tclass=shm permissive=1
type=AVC msg=audit(1731407588.386:177): avc: denied { unix_write } for pid=2086 comm="oracle_2086_orc" ipc_key=-1926613708 scontext=staff_u:sysadm_r:sysadm_t:s0 tcontext=staff_u:system_r:initrc_t:s0 tclass=sem permissive=1
type=AVC msg=audit(1731407588.386:177): avc: denied { read write } for pid=2086 comm="oracle_2086_orc" ipc_key=-1926613708 scontext=staff_u:sysadm_r:sysadm_t:s0 tcontext=staff_u:system_r:initrc_t:s0 tclass=sem permissive=1

SELinux permissive mode

[oracle@localhost root]$ sqlplus / as sysdba

SQL*Plus: Release 19.0.0.0.0 - Production on Tue Nov 12 11:32:06 2024
Version 19.3.0.0.0

Copyright (c) 1982, 2019, Oracle. All rights reserved.

Conectado a:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.3.0.0.0

SQL> SHOW PDBS;

CON_ID CON_NAME OPEN MODE RESTRICTED
---------- ------------------------------ ---------- ----------
2 PDB$SEED READ ONLY NO
3 ORCLPDB1 MOUNTED
SQL> ALTER PLUGGABLE DATABASE ORCLPDB1 OPEN;

Base de datos de conexion modificada.

SQL> exit

For solved it, I can create custom policies. But, the Oracle enterprise gives support with SELinux to your database 19c? And 11c, 12c versions?

Thanks.

Comments
Post Details
Added on Nov 12 2024
0 comments
108 views