Forum Stats

  • 3,836,753 Users
  • 2,262,182 Discussions
  • 7,900,094 Comments

Discussions

SELinux option

NataliaJ
NataliaJ Member Posts: 3 Red Ribbon
edited Jun 19, 2020 3:32AM in Database Security - General

What do you think about advantages and disadvantages of SELinux  on Oracle Database Server  from point of view DBA?

Which option would you recommend: enforcing, permissive or disable?

why?

NataliaJJoerg.Sobottka

Best Answer

  • Andris Perkons-Oracle
    Andris Perkons-Oracle Posts: 1,094 Employee
    edited Jun 18, 2020 12:40PM Answer ✓
    It is not supported to run Oracle DB with SELinux enabled.

    MOS disagrees (mostly). I have found several notes stating " By default, RHEL <n> x86_64 Linux is installed with SELinux as "enforcing". This is fine for the Oracle Database <x> installation process."  See MOS notes 2196074.1, 1962100.1, 1529864.1, if you have access to MOS. I have found one note stating that SElinux should be set to "permissive" for the installation only, and after that can be set to "enforcing" again (RHEL on S390).

    Only for Exadata I have found the statement that "enforcing" is not tested and, if customer chooses to use that setting anyway, should test with "permissive" first.

    Andris

    Joerg.SobottkaNataliaJBlaise NOUTCHEU

Answers

  • Joerg.Sobottka
    Joerg.Sobottka Senior Consultant and Oracle Ace Member Posts: 598 Bronze Trophy
    edited Jun 16, 2020 10:38AM

    If you use enforcing, you may have problems like http://jaimecrespogarcia.blogspot.com/2016/11/error-to-startup-sqlplus-andor-listener.html

    and you must add rules for things that are not working.

    Permissive doesn't enfoce things, but you can find out by warnings, which rules you should add.

    Depending on the type of the server it could also be safe to disable SELinux in total.

    NataliaJNataliaJ
  • Gaz in Oz
    Gaz in Oz Member Posts: 3,785 Bronze Crown
    edited Jun 16, 2020 8:11PM

    As a "DBA" I wouldn't be messing with SELinux, I would be leaving that to the Linux sysadmin and company policy to deal with that.

    Security is good so disabling it seems very rash.

    Setup a test server with it on as enforced and do "DBA" stuff like installing Oracle products, using the database and see if you are inhibited in any way.

    Talking to your Linux sysadmin would be a good place to start, as they may already be aware of what and how to setup a Linux server for Oracle and SE.

    If you are using OLinux I believe it is "enforcing" by default so should be alredy setup properly to allow you to create/configure/use an Oracle db on that OS.

  • NataliaJ
    NataliaJ Member Posts: 3 Red Ribbon
    edited Jun 18, 2020 4:56AM

    Thank you Gaz,

    we are going to use OLVM with RH Linux  as Database Servers and as  Application Servers.

    What do you think - if OLVM will be "enforcing" by Default, could the RH Db Server be "permissive"?

  • NataliaJ
    NataliaJ Member Posts: 3 Red Ribbon
    edited Jun 18, 2020 4:57AM

    Thank you Joerg, I'll do so - at first time set to "permissive"

  • Stanislav Studený
    Stanislav Studený Member Posts: 60 Bronze Badge
    edited Jun 18, 2020 11:39AM

    It is not supported to run Oracle DB with SELinux enabled. I think, i saw note about that Oracle Support which told, that Oracle does not run sufficient tests to ensure proper SELinux support. If you don't want to run into any problems, especially during upgrades to higher releases, don't enable that.

    Best Regards,

    Stanislav

  • Andris Perkons-Oracle
    Andris Perkons-Oracle Posts: 1,094 Employee
    edited Jun 18, 2020 12:40PM Answer ✓
    It is not supported to run Oracle DB with SELinux enabled.

    MOS disagrees (mostly). I have found several notes stating " By default, RHEL <n> x86_64 Linux is installed with SELinux as "enforcing". This is fine for the Oracle Database <x> installation process."  See MOS notes 2196074.1, 1962100.1, 1529864.1, if you have access to MOS. I have found one note stating that SElinux should be set to "permissive" for the installation only, and after that can be set to "enforcing" again (RHEL on S390).

    Only for Exadata I have found the statement that "enforcing" is not tested and, if customer chooses to use that setting anyway, should test with "permissive" first.

    Andris

    Joerg.SobottkaNataliaJBlaise NOUTCHEU
  • Stanislav Studený
    Stanislav Studený Member Posts: 60 Bronze Badge
    edited Jun 19, 2020 3:11AM

    Hi.

    Thanks for notes. It seems things has changed :-). You are right. It's okay since 12.2+ install process.

    Stanislav