6 Replies Latest reply: Jan 9, 2014 12:56 AM by Billy~Verreynne RSS

    ASM and SELinux Enabled.  Is this possible

    1002600

      Does anybody know if you can use Oracle ASM with SELinux enabled.  All doco I've seen says to disable SELinux but I have a requirement to have SELinux enabled?  Is there a document you can point me to for specific policy changes need to support Oracle 11g and ASM.  Running Oracle Enterprise Linux 6.4.

        • 1. Re: ASM and SELinux Enabled.  Is this possible
          Catch-22

          According to the installation documentation, SELinux is supported for Oracle database as of 11gR2. Check the following: http://docs.oracle.com/cd/E11882_01/readmes.112/e41331/toc.htm#READM109

           

           

          So unless you rely on ACFS, SELinux is supported. Also do not confuse ASM with ASMLib. ASMLib will fail if SELinux is set to “enforcing”. However, ASMLib is optional, but then you must configure device name persistence configuring Linux UDEV.


          Whether you would really want SELinux running on an Oracle server is an other questions. I suggest to review the following thread: https://community.oracle.com/thread/2165086. It appears to be the most common practice to disable SELinux on servers running Oracle.

          • 2. Re: ASM and SELinux Enabled.  Is this possible
            1002600

            Dude, thanks for the quick reply.  You are correct, I was incorrectly referring to ASM when the real issue I was wondering about was asmlib.  I didn't want to get into the need for writing udev rules but it looks like I may have to if asmlib doesn't support selinux in enforcing mode.

             

            I may have to get a waiver if selinux enforcing mode is not supported or recommended.

            • 3. Re: ASM and SELinux Enabled.  Is this possible
              Catch-22

              To be honest I have never tried to make ASMLib work with SELinux enforced. Whether or not it was a matter of policies or incompatibility I do not know, but from reading about it, it seems to be the later.

               

              I suggest not to assume that SELinux is required or was generally a good thing to have enforced. For an Oracle database server with a limited amount of known users, applications and services I do not really see a lot of benefit from SELinux other than to provide a safeguard in case the security of Oracle processes and applications are compromised. It may rather have a negative impact on performance, proper function or troubleshooting and may complicate matters for no valid reason.

              • 4. Re: ASM and SELinux Enabled.  Is this possible
                Billy~Verreynne

                Why exactly is SELinux required in your case?

                 

                And it far more complex than simply enabling it. It is also about configuring it and managing it.

                 

                SELinux is like a dangerous and vicious security dog inside your house - where you need to have permission to open the fridge, or be bitten. Question though is who and what is  guarding your property border to prevent burglars from gaining access to your house in the first place?

                 

                In my view - if you say you need to have SELinux enabled, you are saying you face serious security risks.. which means SELinux alone does not suffice and the same type of heavy artillery is needed to protect the network, physical IT infrastructure, application usage, data access, etc. etc.

                • 5. Re: ASM and SELinux Enabled.  Is this possible
                  Catch-22

                  I think a typical example where SELinux makes sense was if someone would access your computer services, such as Oracle database, and manages to exploid a buffer overflow vulnerability to inject code and perform actions the application or process was not designed for, like accessing the file system. Such issues are typically addressed by Oracle security patches.

                  • 6. Re: ASM and SELinux Enabled.  Is this possible
                    Billy~Verreynne

                    Exactly - and if your network access to the database was secure, then the chances are less that a payload can be delivered to the database, resulting in an exploit that needs SELinux to prevent.