Discussions
Categories
- 17.9K All Categories
- 3.4K Industry Applications
- 3.3K Intelligent Advisor
- 63 Insurance
- 536.4K On-Premises Infrastructure
- 138.3K Analytics Software
- 38.6K Application Development Software
- 5.8K Cloud Platform
- 109.5K Database Software
- 17.5K Enterprise Manager
- 8.8K Hardware
- 71.1K Infrastructure Software
- 105.3K Integration
- 41.6K Security Software
SELinux option
What do you think about advantages and disadvantages of SELinux on Oracle Database Server from point of view DBA?
Which option would you recommend: enforcing, permissive or disable?
why?
Best Answer
-
It is not supported to run Oracle DB with SELinux enabled.
MOS disagrees (mostly). I have found several notes stating " By default, RHEL <n> x86_64 Linux is installed with SELinux as "enforcing". This is fine for the Oracle Database <x> installation process." See MOS notes 2196074.1, 1962100.1, 1529864.1, if you have access to MOS. I have found one note stating that SElinux should be set to "permissive" for the installation only, and after that can be set to "enforcing" again (RHEL on S390).
Only for Exadata I have found the statement that "enforcing" is not tested and, if customer chooses to use that setting anyway, should test with "permissive" first.
Andris
Answers
-
If you use enforcing, you may have problems like http://jaimecrespogarcia.blogspot.com/2016/11/error-to-startup-sqlplus-andor-listener.html
and you must add rules for things that are not working.
Permissive doesn't enfoce things, but you can find out by warnings, which rules you should add.
Depending on the type of the server it could also be safe to disable SELinux in total.
-
As a "DBA" I wouldn't be messing with SELinux, I would be leaving that to the Linux sysadmin and company policy to deal with that.
Security is good so disabling it seems very rash.
Setup a test server with it on as enforced and do "DBA" stuff like installing Oracle products, using the database and see if you are inhibited in any way.
Talking to your Linux sysadmin would be a good place to start, as they may already be aware of what and how to setup a Linux server for Oracle and SE.
If you are using OLinux I believe it is "enforcing" by default so should be alredy setup properly to allow you to create/configure/use an Oracle db on that OS.
-
Thank you Gaz,
we are going to use OLVM with RH Linux as Database Servers and as Application Servers.
What do you think - if OLVM will be "enforcing" by Default, could the RH Db Server be "permissive"?
-
Thank you Joerg, I'll do so - at first time set to "permissive"
-
It is not supported to run Oracle DB with SELinux enabled. I think, i saw note about that Oracle Support which told, that Oracle does not run sufficient tests to ensure proper SELinux support. If you don't want to run into any problems, especially during upgrades to higher releases, don't enable that.
Best Regards,
Stanislav
-
It is not supported to run Oracle DB with SELinux enabled.
MOS disagrees (mostly). I have found several notes stating " By default, RHEL <n> x86_64 Linux is installed with SELinux as "enforcing". This is fine for the Oracle Database <x> installation process." See MOS notes 2196074.1, 1962100.1, 1529864.1, if you have access to MOS. I have found one note stating that SElinux should be set to "permissive" for the installation only, and after that can be set to "enforcing" again (RHEL on S390).
Only for Exadata I have found the statement that "enforcing" is not tested and, if customer chooses to use that setting anyway, should test with "permissive" first.
Andris
-
Hi.
Thanks for notes. It seems things has changed :-). You are right. It's okay since 12.2+ install process.
Stanislav
