Can SELinux be enabled on Oracle Server

book

Article ID: 184503

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent Data Loss Prevention Network Monitor Data Loss Prevention Network Prevent for Email Data Loss Prevention Enforce Data Loss Prevention Network Discover Data Loss Prevention Network Prevent for Web Data Loss Prevention Network Protect Data Loss Prevention Endpoint Discover

Issue/Introduction

These guidelines are meant to provide an overview to set up SELinux to enforce mode on the Oracle Server. Currently, this configuration is unsupported by the DLP Technical Support team.

Cause

Need for SELinux on Oracle Server.

Environment

Red Hat 7.*

Resolution

Some things to consider:

  • Since the Oracle database is so specialized, there are several system settings that must be verified or configured for Oracle to run. Many of these settings adjust how Oracle can use the system's memory or how many processes Oracle can start.
  • Traditional Linux security is based on a Discretionary Access Control (DAC) policy
  • The Security Enhanced Linux (SELinux) enhancement to the kernel implements the Mandatory Access Control (MAC) policy, which allows you to define a security policy that provides granular permissions for all users, programs, processes, files, and devices. The kernel's access control decisions are based on all the security relevant information available, and not solely on the authenticated user identity.
  • When security-relevant access occurs, such as when a process attempts to open a file, SELinux intercepts the operation in the kernel. If a MAC policy rule allows the operation, it continues; otherwise, SELinux blocks the operation and returns an error to the process. The kernel checks and enforces DAC policy rules before MAC rules, so it does not check SELinux policy rules if DAC rules have already denied access to a resource.

Considering all of the above information, SELinux can cause issues with any DLP associated system if not implemented correctly.