Re: [Spacewalk-devel] Selinux fix for taking backups of the oracle xe
On Tue, Dec 01, 2009 at 09:47:29PM +0100, George wrote: Making a backup of spacewalk database: environment: centos 5.3 running spacewalk 0.6 (according to /etc/spacewalk-release: spacewalk release 0.6.4 (Alpha)) [...] When trying to run backup script: $ /usr/lib/oracle/xe/app/oracle/product/10.2.0/server/config/scripts/backup.sh [...] which translates into: #= oracle_db_t == allow oracle_db_t sbin_t:dir { search getattr }; allow oracle_db_t tmp_t:file { read write ioctl }; allow oracle_db_t unconfined_t:process signull; #= oracle_sqlplus_t == allow oracle_sqlplus_t httpd_sys_content_t:dir search; allow oracle_sqlplus_t sbin_t:dir { search getattr }; allow oracle_sqlplus_t tmp_t:file write; at this time ofcourse my backup worked ... anyone can check these findings and confirm? George, with the following packages oracle-instantclient-sqlplus-selinux-10.2-17.el5 oracle-nofcontext-selinux-0.1-23.13.el5 oracle-instantclient-selinux-10.2-17.el5 oracle-xe-selinux-10.2-15.el5 from Spacewalk 0.7, none of the above happens, so I assume we've fixed it for 0.7. also a note: I see a lot of selinux messages like described (and probably patched) on this page: http://git.fedorahosted.org/git/?p=spacewalk.git;a=commitdiff;h=f73e3d94c589a634a972ac1d86583d5a34635836 Yes, I do see allow oracle_db_t self:process ptrace; allow oracle_db_t unconfined_t:process signull; issues on my system, even if the ptrace is allowed in the policy module. I'll try to investigated. Luckily, these do not seem to affect the backup operation. Yours, -- Jan Pazdziora Principal Software Engineer, Satellite Engineering, Red Hat ___ Spacewalk-devel mailing list Spacewalk-devel@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-devel
Re: [Spacewalk-devel] Selinux fix for taking backups of the oracle xe
Jan Pazdziora wrote: On Tue, Dec 01, 2009 at 09:47:29PM +0100, George wrote: Making a backup of spacewalk database: environment: centos 5.3 running spacewalk 0.6 (according to /etc/spacewalk-release: spacewalk release 0.6.4 (Alpha)) [...] George, thank you for your post. I shall try to investigate and integrate the changes (I actually hit some earlier in the process when trying to run the backup, which I'm focusing on now). Actually I ran into some problems after setting this up: I updated my spacewalk box to centos 5.4, rebooted to activate the new kernel. On reboot my oracle was complaining ORA-12528: TNS:listener: all appropriate instances are blocking new connections\n', 'xe', 'Connection_Connect(): server attach') I tried to login manually but couldn't ... looked into the logs and saw some errors about the backup mount or something (don't remember how it's called again) After a while I was able to restart oracle by hand and then access it and disabled online backups again unfortunately ... (this can be due to the update but also due to the reboot ...) After that everything still seems to work, spacewalk 0.6 on centos 5.4 right now. When I have time I'll try and setup a development environment for 0.7 (that just came out the day my 0.6 went live ;-) ) Regards, George ___ Spacewalk-devel mailing list Spacewalk-devel@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-devel
Re: [Spacewalk-devel] Selinux fix for taking backups of the oracle xe
On Tue, Dec 01, 2009 at 09:47:29PM +0100, George wrote: Making a backup of spacewalk database: environment: centos 5.3 running spacewalk 0.6 (according to /etc/spacewalk-release: spacewalk release 0.6.4 (Alpha)) [...] George, thank you for your post. I shall try to investigate and integrate the changes (I actually hit some earlier in the process when trying to run the backup, which I'm focusing on now). -- Jan Pazdziora Principal Software Engineer, Satellite Engineering, Red Hat ___ Spacewalk-devel mailing list Spacewalk-devel@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-devel
[Spacewalk-devel] Selinux fix for taking backups of the oracle xe
Making a backup of spacewalk database: environment: centos 5.3 running spacewalk 0.6 (according to /etc/spacewalk-release: spacewalk release 0.6.4 (Alpha)) tried to follow this page: https://fedorahosted.org/spacewalk/wiki/SpacewalkBackup $ su oracle i found out that first and foremost after doing the 'su oracle' you need to load the oracle environment: $ . /usr/lib/oracle/xe/app/oracle/product/10.2.0/server/bin/oracle_env.sh ok now we login and alter some database things as described on the page: $ sqlplus /nolog SQL connect / as sysdba Connected. SQL shutdown immediate Database closed. Database dismounted. ORACLE instance shut down. SQL startup mount ORACLE instance started. Total System Global Area 805306368 bytes Fixed Size 1261444 bytes Variable Size 213909628 bytes Database Buffers 587202560 bytes Redo Buffers2932736 bytes Database mounted. SQL alter database archivelog; Database altered. SQL alter database open; Database altered. SQL SELECT LOG_MODE FROM SYS.V$DATABASE; LOG_MODE ARCHIVELOG SQL quit Disconnected from Oracle Database 10g Express Edition Release 10.2.0.1.0 - Production When trying to run backup script: $ /usr/lib/oracle/xe/app/oracle/product/10.2.0/server/config/scripts/backup.sh ERROR = Backup of the database failed ERROR = flash recovery area is not enabled. Log file is at /usr/lib/oracle/xe/oxe_backup_current.log. Press ENTER key to exit not sure if this is already in the database but i tried this first (thinking it was really the flash recovery area which was not defined): SQL alter system set db_recovery_file_dest='/usr/lib/oracle/xe/app/oracle/flash_recovery_area/XE/'; when it was still not working it hit me that it was maybe selinux so i looked in my audit logs and yes i was right: ok i executed setenforce 0 and this is what came back: start binary audit log snippet--- type=AVC msg=audit(1259596329.727:16384931): avc: denied { write } for pid=742 comm=sqlplus path=/tmp/rman_normlog736.log dev=dm-0 ino=49348623 scontext=user_u:system_r:oracle_sqlplus_t:s0 tcontext=user_u:object_r:tmp_t:s0 tclass=file type=SYSCALL msg=audit(1259596329.727:16384931): arch=c03e syscall=59 per=40 success=yes exit=0 a0=11d05120 a1=11d07e10 a2=11d0c620 a3=3294951a30 items=0 ppid=736 pid=742 auid=1002 uid=101 gid=103 euid=101 suid=101 fsuid=101 egid=103 sgid=103 fsgid=103 tty=pts1 ses=6472 comm=sqlplus exe=/usr/lib/oracle/xe/app/oracle/product/10.2.0/server/bin/sqlplus subj=user_u:system_r:oracle_sqlplus_t:s0 key=(null) type=AVC msg=audit(1259596329.728:16384932): avc: denied { search } for pid=742 comm=sqlplus name=sbin dev=dm-0 ino=43584030 scontext=user_u:system_r:oracle_sqlplus_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=dir type=SYSCALL msg=audit(1259596329.728:16384932): arch=4003 syscall=5 per=40 success=no exit=-2 a0=ffb62da0 a1=0 a2=32 a3=2 items=0 ppid=736 pid=742 auid=1002 uid=101 gid=103 euid=101 suid=101 fsuid=101 egid=103 sgid=103 fsgid=103 tty=pts1 ses=6472 comm=sqlplus exe=/usr/lib/oracle/xe/app/oracle/product/10.2.0/server/bin/sqlplus subj=user_u:system_r:oracle_sqlplus_t:s0 key=(null) type=AVC msg=audit(1259596329.729:16384933): avc: denied { getattr } for pid=742 comm=sqlplus path=/usr/kerberos/sbin dev=dm-0 ino=43584030 scontext=user_u:system_r:oracle_sqlplus_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=dir type=SYSCALL msg=audit(1259596329.729:16384933): arch=4003 syscall=195 per=40 success=yes exit=0 a0=ffb62da0 a1=ffb62e34 a2=8b8fc0 a3= items=0 ppid=736 pid=742 auid=1002 uid=101 gid=103 euid=101 suid=101 fsuid=101 egid=103 sgid=103 fsgid=103 tty=pts1 ses=6472 comm=sqlplus exe=/usr/lib/oracle/xe/app/oracle/product/10.2.0/server/bin/sqlplus subj=user_u:system_r:oracle_sqlplus_t:s0 key=(null) type=AVC msg=audit(1259596329.737:16384934): avc: denied { search } for pid=742 comm=sqlplus name=x86_64 dev=dm-0 ino=25103397 scontext=user_u:system_r:oracle_sqlplus_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir type=SYSCALL msg=audit(1259596329.737:16384934): arch=4003 syscall=33 per=40 success=no exit=-2 a0=9a150a8 a1=0 a2=6e12644 a3=9a62a88 items=0 ppid=736 pid=742 auid=1002 uid=101 gid=103 euid=101 suid=101 fsuid=101 egid=103 sgid=103 fsgid=103 tty=pts1 ses=6472 comm=sqlplus exe=/usr/lib/oracle/xe/app/oracle/product/10.2.0/server/bin/sqlplus subj=user_u:system_r:oracle_sqlplus_t:s0 key=(null) type=AVC msg=audit(1259596329.739:16384935): avc: denied { read } for pid=743 comm=oracle path=2F746D702F73682D7468642D31323539353735363539202864656C6574656429dev=dm-0 ino=49348624 scontext=user_u:system_r:oracle_db_t:s0 tcontext=user_u:object_r:tmp_t:s0 tclass=file type=AVC msg=audit(1259596329.739:16384935): avc: denied {