Re: [Spacewalk-devel] Selinux fix for taking backups of the oracle xe
On Tue, Dec 01, 2009 at 09:47:29PM +0100, George wrote:
Making a backup of spacewalk database:
environment: centos 5.3 running spacewalk 0.6 (according to
/etc/spacewalk-release: spacewalk release 0.6.4 (Alpha))
[...]
When trying to run backup script:
$
/usr/lib/oracle/xe/app/oracle/product/10.2.0/server/config/scripts/backup.sh
[...]
which translates into:
#= oracle_db_t ==
allow oracle_db_t sbin_t:dir { search getattr };
allow oracle_db_t tmp_t:file { read write ioctl };
allow oracle_db_t unconfined_t:process signull;
#= oracle_sqlplus_t ==
allow oracle_sqlplus_t httpd_sys_content_t:dir search;
allow oracle_sqlplus_t sbin_t:dir { search getattr };
allow oracle_sqlplus_t tmp_t:file write;
at this time ofcourse my backup worked ...
anyone can check these findings and confirm?
George,
with the following packages
oracle-instantclient-sqlplus-selinux-10.2-17.el5
oracle-nofcontext-selinux-0.1-23.13.el5
oracle-instantclient-selinux-10.2-17.el5
oracle-xe-selinux-10.2-15.el5
from Spacewalk 0.7, none of the above happens, so I assume we've fixed
it for 0.7.
also a note:
I see a lot of selinux messages like described (and probably patched) on
this page:
http://git.fedorahosted.org/git/?p=spacewalk.git;a=commitdiff;h=f73e3d94c589a634a972ac1d86583d5a34635836
Yes, I do see
allow oracle_db_t self:process ptrace;
allow oracle_db_t unconfined_t:process signull;
issues on my system, even if the ptrace is allowed in the policy module.
I'll try to investigated.
Luckily, these do not seem to affect the backup operation.
Yours,
--
Jan Pazdziora
Principal Software Engineer, Satellite Engineering, Red Hat
___
Spacewalk-devel mailing list
Spacewalk-devel@redhat.com
https://www.redhat.com/mailman/listinfo/spacewalk-devel
Re: [Spacewalk-devel] Selinux fix for taking backups of the oracle xe
Jan Pazdziora wrote: On Tue, Dec 01, 2009 at 09:47:29PM +0100, George wrote: Making a backup of spacewalk database: environment: centos 5.3 running spacewalk 0.6 (according to /etc/spacewalk-release: spacewalk release 0.6.4 (Alpha)) [...] George, thank you for your post. I shall try to investigate and integrate the changes (I actually hit some earlier in the process when trying to run the backup, which I'm focusing on now). Actually I ran into some problems after setting this up: I updated my spacewalk box to centos 5.4, rebooted to activate the new kernel. On reboot my oracle was complaining ORA-12528: TNS:listener: all appropriate instances are blocking new connections\n', 'xe', 'Connection_Connect(): server attach') I tried to login manually but couldn't ... looked into the logs and saw some errors about the backup mount or something (don't remember how it's called again) After a while I was able to restart oracle by hand and then access it and disabled online backups again unfortunately ... (this can be due to the update but also due to the reboot ...) After that everything still seems to work, spacewalk 0.6 on centos 5.4 right now. When I have time I'll try and setup a development environment for 0.7 (that just came out the day my 0.6 went live ;-) ) Regards, George ___ Spacewalk-devel mailing list Spacewalk-devel@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-devel
Re: [Spacewalk-devel] Selinux fix for taking backups of the oracle xe
On Tue, Dec 01, 2009 at 09:47:29PM +0100, George wrote: Making a backup of spacewalk database: environment: centos 5.3 running spacewalk 0.6 (according to /etc/spacewalk-release: spacewalk release 0.6.4 (Alpha)) [...] George, thank you for your post. I shall try to investigate and integrate the changes (I actually hit some earlier in the process when trying to run the backup, which I'm focusing on now). -- Jan Pazdziora Principal Software Engineer, Satellite Engineering, Red Hat ___ Spacewalk-devel mailing list Spacewalk-devel@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-devel
[Spacewalk-devel] Selinux fix for taking backups of the oracle xe
Making a backup of spacewalk database:
environment: centos 5.3 running spacewalk 0.6 (according to
/etc/spacewalk-release: spacewalk release 0.6.4 (Alpha))
tried to follow this page:
https://fedorahosted.org/spacewalk/wiki/SpacewalkBackup
$ su oracle
i found out that first and foremost after doing the 'su oracle' you need
to load the oracle environment:
$ . /usr/lib/oracle/xe/app/oracle/product/10.2.0/server/bin/oracle_env.sh
ok now we login and alter some database things as described on the page:
$ sqlplus /nolog
SQL connect / as sysdba
Connected.
SQL shutdown immediate
Database closed.
Database dismounted.
ORACLE instance shut down.
SQL startup mount
ORACLE instance started.
Total System Global Area 805306368 bytes
Fixed Size 1261444 bytes
Variable Size 213909628 bytes
Database Buffers 587202560 bytes
Redo Buffers2932736 bytes
Database mounted.
SQL alter database archivelog;
Database altered.
SQL alter database open;
Database altered.
SQL SELECT LOG_MODE FROM SYS.V$DATABASE;
LOG_MODE
ARCHIVELOG
SQL quit
Disconnected from Oracle Database 10g Express Edition Release 10.2.0.1.0
- Production
When trying to run backup script:
$
/usr/lib/oracle/xe/app/oracle/product/10.2.0/server/config/scripts/backup.sh
ERROR =
Backup of the database failed
ERROR =
flash recovery area is not enabled.
Log file is at /usr/lib/oracle/xe/oxe_backup_current.log.
Press ENTER key to exit
not sure if this is already in the database but i tried this first
(thinking it was really the flash recovery area which was not defined):
SQL alter system set
db_recovery_file_dest='/usr/lib/oracle/xe/app/oracle/flash_recovery_area/XE/';
when it was still not working it hit me that it was maybe selinux so i
looked in my audit logs and yes i was right:
ok i executed setenforce 0 and this is what came back:
start binary audit log
snippet---
type=AVC msg=audit(1259596329.727:16384931): avc: denied { write } for
pid=742 comm=sqlplus path=/tmp/rman_normlog736.log dev=dm-0
ino=49348623 scontext=user_u:system_r:oracle_sqlplus_t:s0
tcontext=user_u:object_r:tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1259596329.727:16384931): arch=c03e
syscall=59 per=40 success=yes exit=0 a0=11d05120 a1=11d07e10
a2=11d0c620 a3=3294951a30 items=0 ppid=736 pid=742 auid=1002 uid=101
gid=103 euid=101 suid=101 fsuid=101 egid=103 sgid=103 fsgid=103 tty=pts1
ses=6472 comm=sqlplus
exe=/usr/lib/oracle/xe/app/oracle/product/10.2.0/server/bin/sqlplus
subj=user_u:system_r:oracle_sqlplus_t:s0 key=(null)
type=AVC msg=audit(1259596329.728:16384932): avc: denied { search }
for pid=742 comm=sqlplus name=sbin dev=dm-0 ino=43584030
scontext=user_u:system_r:oracle_sqlplus_t:s0
tcontext=system_u:object_r:sbin_t:s0 tclass=dir
type=SYSCALL msg=audit(1259596329.728:16384932): arch=4003 syscall=5
per=40 success=no exit=-2 a0=ffb62da0 a1=0 a2=32 a3=2 items=0
ppid=736 pid=742 auid=1002 uid=101 gid=103 euid=101 suid=101 fsuid=101
egid=103 sgid=103 fsgid=103 tty=pts1 ses=6472 comm=sqlplus
exe=/usr/lib/oracle/xe/app/oracle/product/10.2.0/server/bin/sqlplus
subj=user_u:system_r:oracle_sqlplus_t:s0 key=(null)
type=AVC msg=audit(1259596329.729:16384933): avc: denied { getattr }
for pid=742 comm=sqlplus path=/usr/kerberos/sbin dev=dm-0
ino=43584030 scontext=user_u:system_r:oracle_sqlplus_t:s0
tcontext=system_u:object_r:sbin_t:s0 tclass=dir
type=SYSCALL msg=audit(1259596329.729:16384933): arch=4003
syscall=195 per=40 success=yes exit=0 a0=ffb62da0 a1=ffb62e34
a2=8b8fc0 a3= items=0 ppid=736 pid=742 auid=1002 uid=101 gid=103
euid=101 suid=101 fsuid=101 egid=103 sgid=103 fsgid=103 tty=pts1
ses=6472 comm=sqlplus
exe=/usr/lib/oracle/xe/app/oracle/product/10.2.0/server/bin/sqlplus
subj=user_u:system_r:oracle_sqlplus_t:s0 key=(null)
type=AVC msg=audit(1259596329.737:16384934): avc: denied { search }
for pid=742 comm=sqlplus name=x86_64 dev=dm-0 ino=25103397
scontext=user_u:system_r:oracle_sqlplus_t:s0
tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir
type=SYSCALL msg=audit(1259596329.737:16384934): arch=4003
syscall=33 per=40 success=no exit=-2 a0=9a150a8 a1=0 a2=6e12644
a3=9a62a88 items=0 ppid=736 pid=742 auid=1002 uid=101 gid=103 euid=101
suid=101 fsuid=101 egid=103 sgid=103 fsgid=103 tty=pts1 ses=6472
comm=sqlplus
exe=/usr/lib/oracle/xe/app/oracle/product/10.2.0/server/bin/sqlplus
subj=user_u:system_r:oracle_sqlplus_t:s0 key=(null)
type=AVC msg=audit(1259596329.739:16384935): avc: denied { read } for
pid=743 comm=oracle
path=2F746D702F73682D7468642D31323539353735363539202864656C6574656429dev=dm-0
ino=49348624 scontext=user_u:system_r:oracle_db_t:s0
tcontext=user_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1259596329.739:16384935): avc: denied {
