Data Loss Prevention Endpoint PreventData Loss Prevention Network MonitorData Loss Prevention Network Prevent for EmailData Loss Prevention EnforceData Loss Prevention Network DiscoverData Loss Prevention Network Prevent for WebData Loss Prevention Network ProtectData Loss Prevention Endpoint Discover
Issue/Introduction
These guidelines are meant to provide an overview to set up SELinux to enforce mode on the Oracle Server. Currently, this configuration is unsupported by the DLP Technical Support team.
Cause
Need for SELinux on Oracle Server.
Environment
Red Hat 7.*
Resolution
Some things to consider:
Since the Oracle database is so specialized, there are several system settings that must be verified or configured for Oracle to run. Many of these settings adjust how Oracle can use the system's memory or how many processes Oracle can start.
Traditional Linux security is based on a Discretionary Access Control (DAC) policy
The Security Enhanced Linux (SELinux) enhancement to the kernel implements the Mandatory Access Control (MAC) policy, which allows you to define a security policy that provides granular permissions for all users, programs, processes, files, and devices. The kernel's access control decisions are based on all the security relevant information available, and not solely on the authenticated user identity.
When security-relevant access occurs, such as when a process attempts to open a file, SELinux intercepts the operation in the kernel. If a MAC policy rule allows the operation, it continues; otherwise, SELinux blocks the operation and returns an error to the process. The kernel checks and enforces DAC policy rules before MAC rules, so it does not check SELinux policy rules if DAC rules have already denied access to a resource.
Considering all of the above information, SELinux can cause issues with any DLP associated system if not implemented correctly.