9 Replies Latest reply: Oct 1, 2013 8:23 AM by Girish Sharma RSS

    Oracle and SElinux

    Girish Sharma

      Hi,

      After enough Google and doc search and email discussion I think now I should raise the question here. My question is when we install oracle software on Linux we have to disable selinux to avoid unnecessary errors why it is so, I mean why oracle is not happy with selinux enabled Linux. As such I am not in that situation where I am having problem with selinux but have doubt that is it not something we are going to disable the Linux's provided security which secures the server at kernel level.

       

      Please share your valuable thoughts and if I wish to have full enabled selinux with oracle database software is that possible or not because I think selinux is the security which secure s whole Linux server and when my server is secure my db is also secure.

       

      Thanks and Regards

      Girish Sharma

        • 1. Re: Oracle and SElinux
          sb92075

          GOOGLE  is your friend, but only when you actually use it

           

          3.7. Configuring and Using SELinux

          • 2. Re: Oracle and SElinux
            jgarry

            This one seems to say "because selinux doesn't let a needed library load:" Oracle Startup Problems When Using SELinux

             

            I don't know much about it, but I would guess from sb's link that it translates to "you have to add some programs to be able to let the library load, then you run into performance problems since the library is used so much and the kernel checks each time."  But that's just a guess.  A guess that invites you to try it and strace (or whatever linux has) to see for sure.

            • 3. Re: Oracle and SElinux
              rp0428
              After enough Google and doc search and email discussion I think now I should raise the question here. My question is when we install oracle software on Linux we have to disable selinux to avoid unnecessary errors why it is so, I mean why oracle is not happy with selinux enabled Linux. As such I am not in that situation where I am having problem with selinux but have doubt that is it not something we are going to disable the Linux's provided security which secures the server at kernel level.

               

              Please share your valuable thoughts and if I wish to have full enabled selinux with oracle database software is that possible or not because I think selinux is the security which secure s whole Linux server and when my server is secure my db is also secure.

               

              Having tried to help thousands of forum users yourself you must know that we can't really provide any meaningful help if you don't provide something of substance for us to go on; in particular what version of Oracle you are referring to.

              My question is when we install oracle software on Linux we have to disable selinux to avoid unnecessary errors why it is so, I mean why oracle is not happy with selinux enabled Linux.

              The implication in your question just isn't  true. As with most things Oracle the functionality available often depends on the version of Oracle that you are using.

               

              See the Installation Guide for Oracle 11g Release 2

              http://docs.oracle.com/cd/E11882_01/install.112/e47689.pdf

              Starting with Oracle Database 11g Release 2 (11.2), the Security Enhanced Linux (SELinux) feature is supported for Oracle Linux 4, Oracle Linux 5, Oracle Linux 6, Red Hat Enterprise Linux 4, Red Hat Enterprise Linux 5, and Red Hat Enterprise Linux 6.
              • 4. Re: Oracle and SElinux
                Girish Sharma

                First of all, I am happy and thankful to all of you for your replies.  Rp, I am not talking about any specific oracle version(s), as a general note and when we install oracle database software on linux os, it is recommended to disable the selinux to avoid unexpected behavior, so I am just talking with any version please.

                 

                @Joel,

                Yes, this is what something I wish to test on a test linux box that what happens with oracle if there is selinux is in enforced mode.  I just posted the question that if someone has tested it to see their experience and/or if this thread creates a blog entry on their blogs!

                 

                @Sb,

                I am thankful to you for your such a good link which I could not found and trying to search that what is that with selinux which makes oracle "uneasy".  If you please share your views on this topic that is it not really we are putting our database in disabled selinux server ?

                 

                When I asked this question in a mail to my friend he asked me "why are you going to enable selinux? is there any thing compulsion for you", I said, no as such there is no such scenario, I just got this question as popup, have you ever worked on a selinux enabled database without any issue, if yes then please tell me how and what you did that configuration.

                 

                Once again thanks to all of you.

                 

                Regards

                Girish Sharma

                • 5. Re: Oracle and SElinux
                  rp0428
                  I am not talking about any specific oracle version(s), as a general note and when we install oracle database software on linux os, it is recommended to disable the selinux to avoid unexpected behavior, so I am just talking with any version please.

                  But I AM talking about a specific Oracle version.

                  Starting with Oracle Database 11g Release 2 (11.2), the Security Enhanced Linux (SELinux) feature is supported

                  With more recent, but earlier versions you could use 'Permissive' mode. It is only with the older Oracle versions that you had to 'Disable' SELinux for Oracle to work properly.

                   

                  The Oracle version is the determinant of whether SELinux is supported or not. Without knowing the Oracle version and specific OS versions involved the question 'is SELinux supported' can't really be answered.

                   

                  I haven't used SELinux in 'Enforcing' mode in a production environment but in test environments and 11.2 I haven't experienced any issues. My test environments are generally built using Oracle's VM and/or VirtualBox.

                   

                   

                  • 6. Re: Oracle and SElinux
                    Aman....

                    Girish,

                     

                    You can't say that because SElinux is disabled, you are missing something so great so Oracle should let it work. I can't seem to recall but there are few libraries which are blocked by it when oracle database attempts to start. Even in RAC systems, having SElinux being enabled throws error. That's the reason that you must disable it. For 11.2, as Rp has mentioned, it is now supported.

                     

                    Edit

                    Here is one thread showing what happens with SElinux is enabled.

                    lsnrctl: error while loading shared libraries: /u01/app/oracle/product/11.2

                     

                    Just my 2 cents.

                     

                    Aman....

                    • 7. Re: Oracle and SElinux
                      Girish Sharma

                      Aman,

                       

                      SElinux is supported from 11.2 version, it means, if I have 11.2 on selinux enabled linux on those OSs (Oracle Linux 4, Oracle Linux 5, Oracle Linux 6, Red Hat Enterprise Linux 4, Red Hat Enterprise Linux 5, and Red Hat Enterprise Linux 6.) which have been mentioned above; I shall not have any issue (OCFS, ASMLIB, OEM grid control, Oracle cluster service etc.) right and my server and database is now more secure than ever ?

                       

                      If yes then can we say the community (even though it all depend upon company and client business/IT policies) to have SElinux in enforce mode if version is 11.2 or greater so that server and database can be remain safe. (Hackers have to work more hard !!! )

                       

                      @Rp,

                      I was not aware that from 11.2 selinux is supported thats why I was talking in every version.  Thank you Rp.

                       

                      Regards

                      Girish Sharma

                      • 8. Re: Oracle and SElinux
                        Aman....

                        GirishSharma wrote:

                         

                        Aman,

                         

                        SElinux is supported from 11.2 version, it means, if I have 11.2 on selinux enabled linux on those OSs (Oracle Linux 4, Oracle Linux 5, Oracle Linux 6, Red Hat Enterprise Linux 4, Red Hat Enterprise Linux 5, and Red Hat Enterprise Linux 6.) which have been mentioned above; I shall not have any issue (OCFS, ASMLIB, OEM grid control, Oracle cluster service etc.) right and my server and database is now more secure than ever ?

                         

                        If yes then can we say the community (even though it all depend upon company and client business/IT policies) to have SElinux in enforce mode if version is 11.2 or greater so that server and database can be remain safe. (Hackers have to work more hard !!! )

                         

                        @Rp,

                        I was not aware that from 11.2 selinux is supported thats why I was talking in every version.  Thank you Rp.

                         

                        Regards

                        Girish Sharma

                        Girish,

                         

                        You're just missing the point, completely. Just having one feature (or not having either) doesn't make the things more or less secure . The job of SELinux is specific-to control which processes and daemons are allowed to run. Have a read,

                        Security-Enhanced Linux - Wikipedia, the free encyclopedia

                         

                        I am not sure how you have linked OCFS, CRS, EM etc with SElinux. Oracle didn't ask customers to use SElinux in permissive mode because it would make things insecure but because having it would create issues in the functioning of database. So it's a very simple thing that as long as it was not supported, you-the customer, had no other choice. Now, with 11.2 as SElinux is supported, it would be interesting to see if any case-study comes up where someone has run his database with SElinux and what impact he experienced. Just because a feature is supported now, doesn't mean that one must make a use of it since being more secure may impact on the performance as well.

                         

                        Aman....

                        • 9. Re: Oracle and SElinux
                          Girish Sharma

                          Thank you Aman.  I am closing the thread just in hope if some one post the case study and/or a blog entry to see what happens if db is running on selinux enabled linux distro.

                           

                          I am thankful to SB, Rp too for their participation and valuable links and replies.

                           

                          Regards

                          Girish Sharma