Hi.
I installed and configured Oracle database 19c Community Edition in RHEL 9.4.
In this server, I configured SELinux. Here the configuration
# fixfiles -F onboot
# semanage login --modify --range SystemLow --seuser user_u __default__
# semanage login --modify --range SystemLow-SystemHigh --seuser sysadm_u root
# semanage login --add --range SystemLow --seuser staff_u user
# echo "user ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALL" > /etc/sudoers.d/user
# semanage login --add --range SystemLow --seuser user_u oracle
If I add SELinux in enforcing mode. And run the script /etc/init.d/oracledb_ORCLCDB-19c start
the database is started.
But, I can't run sqlplus
, in /var/log/audit/audit.log
there are AVC
logs.
SELinux enforcing mode
[oracle@localhost root]$ sqlplus / as sysdba
SQL*Plus: Release 19.0.0.0.0 - Production on Tue Nov 12 11:29:04 2024
Version 19.3.0.0.0
Copyright (c) 1982, 2019, Oracle. All rights reserved.
Connected to an idle instance.
SQL> SHOW PDBS;
ERROR:
ORA-01034: ORACLE not available
Process ID: 0
Session ID: 0 Serial number: 0
SP2-1545: This feature requires Database availability.
SQL> SHOW PDBS;
ERROR:
ORA-01034: ORACLE not available
Process ID: 0
Session ID: 0 Serial number: 0
SP2-1545: This feature requires Database availability.
SQL> exit
Disconnected
Logs
type=AVC msg=audit(1731407526.080:170): avc: denied { associate } for pid=2086 comm="oracle" ipc_key=1135834572 scontext=staff_u:sysadm_r:sysadm_t:s0 tcontext=staff_u:system_r:initrc_t:s0 tclass=shm permissive=1
type=AVC msg=audit(1731407526.082:171): avc: denied { unix_read } for pid=2086 comm="oracle" ipc_key=1135834572 scontext=staff_u:sysadm_r:sysadm_t:s0 tcontext=staff_u:system_r:initrc_t:s0 tclass=shm permissive=1
type=AVC msg=audit(1731407526.082:171): avc: denied { getattr } for pid=2086 comm="oracle" ipc_key=1135834572 scontext=staff_u:sysadm_r:sysadm_t:s0 tcontext=staff_u:system_r:initrc_t:s0 tclass=shm permissive=1
type=AVC msg=audit(1731407526.082:172): avc: denied { unix_write } for pid=2086 comm="oracle" ipc_key=1135834572 scontext=staff_u:sysadm_r:sysadm_t:s0 tcontext=staff_u:system_r:initrc_t:s0 tclass=shm permissive=1
type=AVC msg=audit(1731407526.082:172): avc: denied { read write } for pid=2086 comm="oracle" ipc_key=1135834572 scontext=staff_u:sysadm_r:sysadm_t:s0 tcontext=staff_u:system_r:initrc_t:s0 tclass=shm permissive=1
type=AVC msg=audit(1731407588.386:177): avc: denied { unix_write } for pid=2086 comm="oracle_2086_orc" ipc_key=-1926613708 scontext=staff_u:sysadm_r:sysadm_t:s0 tcontext=staff_u:system_r:initrc_t:s0 tclass=sem permissive=1
type=AVC msg=audit(1731407588.386:177): avc: denied { read write } for pid=2086 comm="oracle_2086_orc" ipc_key=-1926613708 scontext=staff_u:sysadm_r:sysadm_t:s0 tcontext=staff_u:system_r:initrc_t:s0 tclass=sem permissive=1
SELinux permissive mode
[oracle@localhost root]$ sqlplus / as sysdba
SQL*Plus: Release 19.0.0.0.0 - Production on Tue Nov 12 11:32:06 2024
Version 19.3.0.0.0
Copyright (c) 1982, 2019, Oracle. All rights reserved.
Conectado a:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
SQL> SHOW PDBS;
CON_ID CON_NAME OPEN MODE RESTRICTED
---------- ------------------------------ ---------- ----------
2 PDB$SEED READ ONLY NO
3 ORCLPDB1 MOUNTED
SQL> ALTER PLUGGABLE DATABASE ORCLPDB1 OPEN;
Base de datos de conexion modificada.
SQL> exit
For solved it, I can create custom policies. But, the Oracle enterprise gives support with SELinux to your database 19c? And 11c, 12c versions?
Thanks.