selinux and oracle instantclient

Dennis Gilmore dennis at ausil.us
Thu Apr 1 00:27:47 UTC 2010 

spacewalk has a selinux policy for oracle that should work for you


Dennis

On Tuesday 30 March 2010 09:32:51 am Daniel J Walsh wrote:
> On 03/30/2010 10:17 AM, Arian wrote:
> > Hello all,
> > I am using Oracle 11.2 instant client on CentOS (which i heard is
> > based a version of Fedora/RedHat), and I was trying to use php's PDO
> > and oci8 modules to test connections to Oracle.
> > 
> > I had originally gotten a php error about pdo_oci.so/oci8.so
> > <http://pdo_oci.so/oci8.so> data execution on a dynamic link library,
> > libclsh. I asked selinux boards and they said to try 'setsebool -P
> > allow_execstack on'...  I think after that change, i still had issues,
> > so they suggested to turn it off temporarily to see if it works...
> > 
> > So I went into /etc/sysconfig/selinux and set:
> > SELINUX=disabled
> > and my script connected and read some rows from the oracle db.
> > 
> > 
> > Im not sure if anyone has had issues with oracle client to work with
> > selinux, without turning it off.
> > I saw a blog stating to run these, but i have no idea if it will work
> > for my version of oracle, or what it does:
> > "tail -f /var/log/audit/audit.log | tee oracle.log
> > audit2allow -M oracle < oracle.log
> > semodule -i oracle.pp"
> > 
> > 
> > Thanks!,
> > Ari
> > 
> > 
> > --
> > selinux mailing list
> > selinux at lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
> If you turn it back on, contact me and we can work through the problems.
> 
> SELINUX=permissive
> 
> Would have allowed your processes to work and logged all of the errors.
> Which we could have then fixed.
> 
> SELinux error messages are written as "AVC" messages in
> /var/log/audit/audit.log
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100331/51b5a5a6/attachment.bin

More information about the selinux mailing list