FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 03-30-2010, 02:17 PM
Arian
 
Default selinux and oracle instantclient

Hello all,
I am using Oracle 11.2 instant client on CentOS (which i heard is based a version of Fedora/RedHat), and I was trying to use php's PDO and oci8 modules to test connections to Oracle.

I had originally gotten a php error about pdo_oci.so/oci8.so data execution on a dynamic
link library, libclsh. I asked selinux boards and they said to try 'setsebool -P allow_execstack on'...* I think after that change, i still had issues, so they suggested to turn it off temporarily to see if it works...


So I went into /etc/sysconfig/selinux and set:
SELINUX=disabled
and my script connected and read some rows from the oracle db.


Im not sure if anyone has had issues with oracle client to work with selinux, without turning it off.

I saw a blog stating to run these, but i have no idea if it will work for my version of oracle, or what it does:
"tail -f /var/log/audit/audit.log | tee oracle.log

audit2allow -M oracle < oracle.log

semodule -i oracle.pp"


Thanks!,
Ari

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 03-30-2010, 02:32 PM
Daniel J Walsh
 
Default selinux and oracle instantclient

On 03/30/2010 10:17 AM, Arian wrote:
Hello all,

I am using Oracle 11.2 instant client on CentOS (which i heard is based
a version of Fedora/RedHat), and I was trying to use php's PDO and oci8
modules to test connections to Oracle.



I had originally gotten a php error about pdo_oci.so/oci8.so data execution
on a dynamic
link library, libclsh. I asked selinux boards and they said to try
'setsebool -P allow_execstack on'...* I think after that change, i
still had issues, so they suggested to turn it off temporarily to see
if it works...



So I went into /etc/sysconfig/selinux and set:

SELINUX=disabled

and my script connected and read some rows from the oracle db.





Im not sure if anyone has had issues with oracle client to work with
selinux, without turning it off.

I saw a blog stating to run these, but i have no idea if it will work
for my version of oracle, or what it does:

"tail -f /var/log/audit/audit.log | tee oracle.log

audit2allow -M oracle < oracle.log

semodule -i oracle.pp"





Thanks!,

Ari



--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

If you turn it back on, contact me and we can work through the problems.



SELINUX=permissive



Would have allowed your processes to work and logged all of the errors.
Which we could have then fixed.*



SELinux error messages are written as "AVC" messages in
/var/log/audit/audit.log



--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 03-30-2010, 03:11 PM
Bruno Wolff III
 
Default selinux and oracle instantclient

On Tue, Mar 30, 2010 at 10:17:13 -0400,
Arian <armyofda12mnkeys@gmail.com> wrote:
>
> So I went into /etc/sysconfig/selinux and set:
> SELINUX=disabled

Use permissive for testing. If you switch to disabled, you need to relabel
if you later turn it back on.

> Im not sure if anyone has had issues with oracle client to work with
> selinux, without turning it off.

I don't, but I am running sqlplus from a shell, not using it from a web server.
I don't have any custom policy for it. It doesn't seem to need any unusual
booleans set.

I am using the following:
selinux-policy-targeted-3.7.16-2.fc13.noarch
oracle-instantclient-devel-10.2.0.3-1.x86_64
oracle-instantclient-sqlplus-10.2.0.3-1.x86_64
oracle-instantclient-basic-10.2.0.3-1.x86_64
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 03-30-2010, 10:04 PM
Vadym Chepkov
 
Default selinux and oracle instantclient

What I had to do in the past, after installing oracle client is to just run

restorecon -vR /usr

This would set the proper lables for oracle libraries and binaries.

Sincerely yours,

Vadym Chepkov


--- On Tue, 3/30/10, Arian <armyofda12mnkeys@gmail.com> wrote:

From: Arian <armyofda12mnkeys@gmail.com>
Subject: selinux and oracle instantclient
To: selinux@lists.fedoraproject.org
Date: Tuesday, March 30, 2010, 10:17 AM

Hello all,
I am using Oracle 11.2 instant client on CentOS (which i heard is based a version of Fedora/RedHat), and I was trying to use php's PDO and oci8 modules to test connections to Oracle.

I had originally gotten a php error about pdo_oci.so/oci8.so data execution on a dynamic
link library, libclsh. I asked selinux boards and they said to try 'setsebool -P allow_execstack on'...* I think after that change, i still had issues, so they suggested to turn it off temporarily to see if it works...


So I went into /etc/sysconfig/selinux and set:
SELINUX=disabled
and my script connected and read some rows from the oracle db.


Im not sure if anyone has had issues with oracle client to work with selinux, without turning it off.

I saw a blog stating to run these, but i have no idea if it will work for my version of oracle, or what it does:
"tail -f /var/log/audit/audit.log | tee oracle.log

audit2allow -M oracle < oracle.log

semodule -i oracle.pp"


Thanks!,
Ari


-----Inline Attachment Follows-----

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 03-30-2010, 10:26 PM
Arian
 
Default selinux and oracle instantclient

Cool, I'll set permissive on the box when I have a chance later this week and get back at you guys maybe what version the policy rpm i have installed
and see what others have to say about the 'restorecon -vR /usr' command.

Think I have a similar virtual box to test with too possibly earlier this week.


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 03-31-2010, 01:22 PM
Daniel J Walsh
 
Default selinux and oracle instantclient

On 03/30/2010 06:26 PM, Arian wrote:
Cool, I'll set permissive on the box when I have a chance
later this week and get back at you guys maybe what version the policy
rpm i have installed

and see what others have to say about the 'restorecon -vR /usr' command.

Think I have a similar virtual box to test with too possibly earlier
this week.





--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Oracle is probably not using rpm to install its files.* If it is using
some kind of tar ball installer, then it probably is not setting the
labels correct on install.* Running restorecon on the installed files
will fix the context.* Oracle is supposedly working to improve their
SELinux integration.



--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-01-2010, 12:02 AM
Bruno Wolff III
 
Default selinux and oracle instantclient

On Wed, Mar 31, 2010 at 09:22:07 -0400,
Daniel J Walsh <dwalsh@redhat.com> wrote:
> Oracle is probably not using rpm to install its files. If it is
> using some kind of tar ball installer, then it probably is not
> setting the labels correct on install. Running restorecon on the
> installed files will fix the context. Oracle is supposedly working
> to improve their SELinux integration.

Their client stuff does come in rpms. I didn't check the spec files to
see if they were doing something odd, but I think things come out OK.
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-01-2010, 12:27 AM
Dennis Gilmore
 
Default selinux and oracle instantclient

spacewalk has a selinux policy for oracle that should work for you


Dennis

On Tuesday 30 March 2010 09:32:51 am Daniel J Walsh wrote:
> On 03/30/2010 10:17 AM, Arian wrote:
> > Hello all,
> > I am using Oracle 11.2 instant client on CentOS (which i heard is
> > based a version of Fedora/RedHat), and I was trying to use php's PDO
> > and oci8 modules to test connections to Oracle.
> >
> > I had originally gotten a php error about pdo_oci.so/oci8.so
> > <http://pdo_oci.so/oci8.so> data execution on a dynamic link library,
> > libclsh. I asked selinux boards and they said to try 'setsebool -P
> > allow_execstack on'... I think after that change, i still had issues,
> > so they suggested to turn it off temporarily to see if it works...
> >
> > So I went into /etc/sysconfig/selinux and set:
> > SELINUX=disabled
> > and my script connected and read some rows from the oracle db.
> >
> >
> > Im not sure if anyone has had issues with oracle client to work with
> > selinux, without turning it off.
> > I saw a blog stating to run these, but i have no idea if it will work
> > for my version of oracle, or what it does:
> > "tail -f /var/log/audit/audit.log | tee oracle.log
> > audit2allow -M oracle < oracle.log
> > semodule -i oracle.pp"
> >
> >
> > Thanks!,
> > Ari
> >
> >
> > --
> > selinux mailing list
> > selinux@lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
>
> If you turn it back on, contact me and we can work through the problems.
>
> SELINUX=permissive
>
> Would have allowed your processes to work and logged all of the errors.
> Which we could have then fixed.
>
> SELinux error messages are written as "AVC" messages in
> /var/log/audit/audit.log
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-11-2010, 08:02 PM
"Göran Uddeborg"
 
Default selinux and oracle instantclient

Arian:
> Im not sure if anyone has had issues with oracle client to work with
> selinux, without turning it off.

We have also used Oracle's Instant Client RPM:s, a few different 10.*
and 11.* versions . What we have found is that the are built so they
need text relocations. On RHEL5 systems we run the following command
when we kickstart them:

semanage fcontext -a -t textrel_shlib_t "/usr/lib/oracle/1...*/client.*/lib/lib.*.so"
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 10:46 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org