[Spacewalk-devel] Selinux fix for taking backups of the oracle xe

Tue, 01 Dec 2009 12:47:45 -0800 

Making a backup of spacewalk database:
environment: centos 5.3 running spacewalk 0.6 (according to /etc/spacewalk-release: spacewalk release 0.6.4 (Alpha)) 


tried to follow this page: 
https://fedorahosted.org/spacewalk/wiki/SpacewalkBackup


$ su oracle

i found out that first and foremost after doing the 'su oracle' you need 
to load the oracle environment:

$ . /usr/lib/oracle/xe/app/oracle/product/10.2.0/server/bin/oracle_env.sh

ok now we login and alter some database things as described on the page:
$ sqlplus /nolog
SQL> connect / as sysdba
Connected.
SQL> shutdown immediate
Database closed.
Database dismounted.
ORACLE instance shut down.
SQL> startup mount
ORACLE instance started.

Total System Global Area  805306368 bytes
Fixed Size                  1261444 bytes
Variable Size             213909628 bytes
Database Buffers          587202560 bytes
Redo Buffers                2932736 bytes
Database mounted.
SQL> alter database archivelog;

Database altered.

SQL> alter database open;

Database altered.

SQL> SELECT LOG_MODE FROM SYS.V$DATABASE;

LOG_MODE
------------
ARCHIVELOG

SQL> quit

Disconnected from Oracle Database 10g Express Edition Release 10.2.0.1.0 
- Production


When trying to run backup script:

$ 
/usr/lib/oracle/xe/app/oracle/product/10.2.0/server/config/scripts/backup.sh
==================== ERROR ========================= 

             Backup of the database failed 

==================== ERROR ========================= 

flash recovery area is not enabled. 

Log file is at /usr/lib/oracle/xe/oxe_backup_current.log. 


Press ENTER key to exit



not sure if this is already in the database but i tried this first 
(thinking it was really the flash recovery area which was not defined):
SQL> alter system set 
db_recovery_file_dest='/usr/lib/oracle/xe/app/oracle/flash_recovery_area/XE/';



when it was still not working it hit me that it was maybe selinux so i 
looked in my audit logs and yes i was right:

ok i executed setenforce 0 and this is what came back:

------------------------start binary audit log 
snippet-----------------------
type=AVC msg=audit(1259596329.727:16384931): avc:  denied  { write } for 
 pid=742 comm="sqlplus" path="/tmp/rman_normlog736.log" dev=dm-0 
ino=49348623 scontext=user_u:system_r:oracle_sqlplus_t:s0 
tcontext=user_u:object_r:tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1259596329.727:16384931): arch=c000003e 
syscall=59 per=400000 success=yes exit=0 a0=11d05120 a1=11d07e10 
a2=11d0c620 a3=3294951a30 items=0 ppid=736 pid=742 auid=1002 uid=101 
gid=103 euid=101 suid=101 fsuid=101 egid=103 sgid=103 fsgid=103 tty=pts1 
ses=6472 comm="sqlplus" 
exe="/usr/lib/oracle/xe/app/oracle/product/10.2.0/server/bin/sqlplus" 
subj=user_u:system_r:oracle_sqlplus_t:s0 key=(null)
type=AVC msg=audit(1259596329.728:16384932): avc:  denied  { search } 
for  pid=742 comm="sqlplus" name="sbin" dev=dm-0 ino=43584030 
scontext=user_u:system_r:oracle_sqlplus_t:s0 
tcontext=system_u:object_r:sbin_t:s0 tclass=dir
type=SYSCALL msg=audit(1259596329.728:16384932): arch=40000003 syscall=5 
per=400000 success=no exit=-2 a0=ffb62da0 a1=0 a2=32 a3=2 items=0 
ppid=736 pid=742 auid=1002 uid=101 gid=103 euid=101 suid=101 fsuid=101 
egid=103 sgid=103 fsgid=103 tty=pts1 ses=6472 comm="sqlplus" 
exe="/usr/lib/oracle/xe/app/oracle/product/10.2.0/server/bin/sqlplus" 
subj=user_u:system_r:oracle_sqlplus_t:s0 key=(null)
type=AVC msg=audit(1259596329.729:16384933): avc:  denied  { getattr } 
for  pid=742 comm="sqlplus" path="/usr/kerberos/sbin" dev=dm-0 
ino=43584030 scontext=user_u:system_r:oracle_sqlplus_t:s0 
tcontext=system_u:object_r:sbin_t:s0 tclass=dir
type=SYSCALL msg=audit(1259596329.729:16384933): arch=40000003 
syscall=195 per=400000 success=yes exit=0 a0=ffb62da0 a1=ffb62e34 
a2=8b8fc0 a3=ffffffff items=0 ppid=736 pid=742 auid=1002 uid=101 gid=103 
euid=101 suid=101 fsuid=101 egid=103 sgid=103 fsgid=103 tty=pts1 
ses=6472 comm="sqlplus" 
exe="/usr/lib/oracle/xe/app/oracle/product/10.2.0/server/bin/sqlplus" 
subj=user_u:system_r:oracle_sqlplus_t:s0 key=(null)
type=AVC msg=audit(1259596329.737:16384934): avc:  denied  { search } 
for  pid=742 comm="sqlplus" name="x86_64" dev=dm-0 ino=25103397 
scontext=user_u:system_r:oracle_sqlplus_t:s0 
tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir
type=SYSCALL msg=audit(1259596329.737:16384934): arch=40000003 
syscall=33 per=400000 success=no exit=-2 a0=9a150a8 a1=0 a2=6e12644 
a3=9a62a88 items=0 ppid=736 pid=742 auid=1002 uid=101 gid=103 euid=101 
suid=101 fsuid=101 egid=103 sgid=103 fsgid=103 tty=pts1 ses=6472 
comm="sqlplus" 
exe="/usr/lib/oracle/xe/app/oracle/product/10.2.0/server/bin/sqlplus" 
subj=user_u:system_r:oracle_sqlplus_t:s0 key=(null)
type=AVC msg=audit(1259596329.739:16384935): avc:  denied  { read } for 
 pid=743 comm="oracle" 
path=2F746D702F73682D7468642D31323539353735363539202864656C6574656429dev=dm-0 
ino=49348624 scontext=user_u:system_r:oracle_db_t:s0 
tcontext=user_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1259596329.739:16384935): avc:  denied  { write } for 
 pid=743 comm="oracle" path="/tmp/rman_normlog736.log" dev=dm-0 
ino=49348623 scontext=user_u:system_r:oracle_db_t:s0 
tcontext=user_u:object_r:tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1259596329.739:16384935): arch=40000003 
syscall=11 per=400000 success=yes exit=0 a0=9a8f9d0 a1=9a8fa98 
a2=9a917f0 a3=9a8fac8 items=0 ppid=742pid=743 auid=1002 uid=101 gid=103 
euid=101 suid=101 fsuid=101 egid=103 sgid=103 fsgid=103 tty=(none) 
ses=6472 comm="oracle" 
exe="/usr/lib/oracle/xe/app/oracle/product/10.2.0/server/bin/oracle" 
subj=user_u:system_r:oracle_db_t:s0 key=(null)
type=AVC msg=audit(1259596329.740:16384936): avc:  denied  { search } 
for  pid=743 comm="oracle" name="sbin" dev=dm-0 ino=43584030 
scontext=user_u:system_r:oracle_db_t:s0 
tcontext=system_u:object_r:sbin_t:s0 tclass=dir
type=SYSCALL msg=audit(1259596329.740:16384936): arch=40000003 syscall=5 
per=400000 success=no exit=-2 a0=ff946000 a1=0 a2=32 a3=2 items=0 
ppid=742 pid=743 auid=1002 uid=101 gid=103 euid=101 suid=101 fsuid=101 
egid=103 sgid=103 fsgid=103 tty=(none) ses=6472 comm="oracle" 
exe="/usr/lib/oracle/xe/app/oracle/product/10.2.0/server/bin/oracle" 
subj=user_u:system_r:oracle_db_t:s0 key=(null)
type=AVC msg=audit(1259596329.740:16384937): avc:  denied  { getattr } 
for  pid=743 comm="oracle" path="/usr/kerberos/sbin" dev=dm-0 
ino=43584030 scontext=user_u:system_r:oracle_db_t:s0 
tcontext=system_u:object_r:sbin_t:s0 tclass=dir
type=SYSCALL msg=audit(1259596329.740:16384937): arch=40000003 
syscall=195 per=400000 success=yes exit=0 a0=ff946000 a1=ff946094 
a2=8b8fc0 a3=ffffffff items=0 ppid=742 pid=743 auid=1002 uid=101 gid=103 
euid=101 suid=101 fsuid=101 egid=103 sgid=103 fsgid=103 tty=(none) 
ses=6472 comm="oracle" 
exe="/usr/lib/oracle/xe/app/oracle/product/10.2.0/server/bin/oracle" 
subj=user_u:system_r:oracle_db_t:s0 key=(null)
type=AVC msg=audit(1259596329.753:16384938): avc:  denied  { ioctl } for 
 pid=743 comm="oracle" 
path=2F746D702F73682D7468642D31323539353735363539202864656C6574656429 
dev=dm-0 ino=49348624 scontext=user_u:system_r:oracle_db_t:s0 
tcontext=user_u:object_r:tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1259596329.753:16384938): arch=40000003 
syscall=54 per=400000 success=no exit=-25 a0=0 a1=5401 a2=ff941ef8 
a3=ff942004 items=0 ppid=742 pid=743 auid=1002 uid=101 gid=103 euid=101 
suid=101 fsuid=101 egid=103 sgid=103 fsgid=103 tty=(none) ses=6472 
comm="oracle" 
exe="/usr/lib/oracle/xe/app/oracle/product/10.2.0/server/bin/oracle" 
subj=user_u:system_r:oracle_db_t:s0 key=(null)
type=AVC msg=audit(1259596329.756:16384939): avc:  denied  { search } 
for  pid=742 comm="sqlplus" name="x86_64" dev=dm-0 ino=25103397 
scontext=user_u:system_r:oracle_sqlplus_t:s0 
tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir
type=SYSCALL msg=audit(1259596329.756:16384939): arch=40000003 
syscall=33 per=400000 success=no exit=-2 a0=9a85388 a1=0 a2=6e12644 
a3=9ab9df0 items=0 ppid=736 pid=742 auid=1002 uid=101 gid=103 euid=101 
suid=101 fsuid=101 egid=103 sgid=103 fsgid=103 tty=pts1 ses=6472 
comm="sqlplus" 
exe="/usr/lib/oracle/xe/app/oracle/product/10.2.0/server/bin/sqlplus" 
subj=user_u:system_r:oracle_sqlplus_t:s0 key=(null)
type=AVC msg=audit(1259596358.250:16384940): avc:  denied  { signull } 
for  pid=32595 comm="oracle" scontext=user_u:system_r:oracle_db_t:s0 
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1259596358.250:16384940): arch=40000003 
syscall=37 per=400000 success=yes exit=0 a0=2f7 a1=0 a2=c6dd364 
a3=ff8d1e44 items=0 ppid=1 pid=32595 auid=1002 uid=101 gid=103 euid=101 
suid=101 fsuid=101 egid=103 sgid=103 fsgid=103 tty=(none) ses=6472 
comm="oracle" 
exe="/usr/lib/oracle/xe/app/oracle/product/10.2.0/server/bin/oracle" 
subj=user_u:system_r:oracle_db_t:s0 key=(null)

------------------------end binary audit log snippet-----------------------


which translates into:

#============= oracle_db_t ==============
allow oracle_db_t sbin_t:dir { search getattr };
allow oracle_db_t tmp_t:file { read write ioctl };
allow oracle_db_t unconfined_t:process signull;

#============= oracle_sqlplus_t ==============
allow oracle_sqlplus_t httpd_sys_content_t:dir search;
allow oracle_sqlplus_t sbin_t:dir { search getattr };
allow oracle_sqlplus_t tmp_t:file write;


at this time ofcourse my backup worked ...
anyone can check these findings and confirm?

also a note:

I see a lot of selinux messages like described (and probably patched) on 
this page:

http://git.fedorahosted.org/git/?p=spacewalk.git;a=commitdiff;h=f73e3d94c589a634a972ac1d86583d5a34635836

Regards,

Ghosty

_______________________________________________
Spacewalk-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/spacewalk-devel






















					Reply via email to