Hello all, I am using Oracle 11.2 instant client on CentOS (which i heard is based a version of Fedora/RedHat), and I was trying to use php's PDO and oci8 modules to test connections to Oracle.
I had originally gotten a php error about pdo_oci.so/oci8.so data execution on a dynamic link library, libclsh. I asked selinux boards and they said to try 'setsebool -P allow_execstack on'... I think after that change, i still had issues, so they suggested to turn it off temporarily to see if it works...
So I went into /etc/sysconfig/selinux and set: SELINUX=disabled and my script connected and read some rows from the oracle db.
Im not sure if anyone has had issues with oracle client to work with selinux, without turning it off. I saw a blog stating to run these, but i have no idea if it will work for my version of oracle, or what it does: "tail -f /var/log/audit/audit.log | tee oracle.log audit2allow -M oracle < oracle.log semodule -i oracle.pp"
Thanks!, Ari
On 03/30/2010 10:17 AM, Arian wrote:
Hello all, I am using Oracle 11.2 instant client on CentOS (which i heard is based a version of Fedora/RedHat), and I was trying to use php's PDO and oci8 modules to test connections to Oracle.
I had originally gotten a php error about pdo_oci.so/oci8.so http://pdo_oci.so/oci8.so data execution on a dynamic link library, libclsh. I asked selinux boards and they said to try 'setsebool -P allow_execstack on'... I think after that change, i still had issues, so they suggested to turn it off temporarily to see if it works...
So I went into /etc/sysconfig/selinux and set: SELINUX=disabled and my script connected and read some rows from the oracle db.
Im not sure if anyone has had issues with oracle client to work with selinux, without turning it off. I saw a blog stating to run these, but i have no idea if it will work for my version of oracle, or what it does: "tail -f /var/log/audit/audit.log | tee oracle.log audit2allow -M oracle < oracle.log semodule -i oracle.pp"
Thanks!, Ari
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
If you turn it back on, contact me and we can work through the problems.
SELINUX=permissive
Would have allowed your processes to work and logged all of the errors. Which we could have then fixed.
SELinux error messages are written as "AVC" messages in /var/log/audit/audit.log
spacewalk has a selinux policy for oracle that should work for you
Dennis
On Tuesday 30 March 2010 09:32:51 am Daniel J Walsh wrote:
On 03/30/2010 10:17 AM, Arian wrote:
Hello all, I am using Oracle 11.2 instant client on CentOS (which i heard is based a version of Fedora/RedHat), and I was trying to use php's PDO and oci8 modules to test connections to Oracle.
I had originally gotten a php error about pdo_oci.so/oci8.so http://pdo_oci.so/oci8.so data execution on a dynamic link library, libclsh. I asked selinux boards and they said to try 'setsebool -P allow_execstack on'... I think after that change, i still had issues, so they suggested to turn it off temporarily to see if it works...
So I went into /etc/sysconfig/selinux and set: SELINUX=disabled and my script connected and read some rows from the oracle db.
Im not sure if anyone has had issues with oracle client to work with selinux, without turning it off. I saw a blog stating to run these, but i have no idea if it will work for my version of oracle, or what it does: "tail -f /var/log/audit/audit.log | tee oracle.log audit2allow -M oracle < oracle.log semodule -i oracle.pp"
Thanks!, Ari
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
If you turn it back on, contact me and we can work through the problems.
SELINUX=permissive
Would have allowed your processes to work and logged all of the errors. Which we could have then fixed.
SELinux error messages are written as "AVC" messages in /var/log/audit/audit.log
On Tue, Mar 30, 2010 at 10:17:13 -0400, Arian armyofda12mnkeys@gmail.com wrote:
So I went into /etc/sysconfig/selinux and set: SELINUX=disabled
Use permissive for testing. If you switch to disabled, you need to relabel if you later turn it back on.
Im not sure if anyone has had issues with oracle client to work with selinux, without turning it off.
I don't, but I am running sqlplus from a shell, not using it from a web server. I don't have any custom policy for it. It doesn't seem to need any unusual booleans set.
I am using the following: selinux-policy-targeted-3.7.16-2.fc13.noarch oracle-instantclient-devel-10.2.0.3-1.x86_64 oracle-instantclient-sqlplus-10.2.0.3-1.x86_64 oracle-instantclient-basic-10.2.0.3-1.x86_64
What I had to do in the past, after installing oracle client is to just run
restorecon -vR /usr
This would set the proper lables for oracle libraries and binaries.
Sincerely yours,
Vadym Chepkov
--- On Tue, 3/30/10, Arian armyofda12mnkeys@gmail.com wrote:
From: Arian armyofda12mnkeys@gmail.com Subject: selinux and oracle instantclient To: selinux@lists.fedoraproject.org Date: Tuesday, March 30, 2010, 10:17 AM
Hello all, I am using Oracle 11.2 instant client on CentOS (which i heard is based a version of Fedora/RedHat), and I was trying to use php's PDO and oci8 modules to test connections to Oracle.
I had originally gotten a php error about pdo_oci.so/oci8.so data execution on a dynamic link library, libclsh. I asked selinux boards and they said to try 'setsebool -P allow_execstack on'... I think after that change, i still had issues, so they suggested to turn it off temporarily to see if it works...
So I went into /etc/sysconfig/selinux and set: SELINUX=disabled and my script connected and read some rows from the oracle db.
Im not sure if anyone has had issues with oracle client to work with selinux, without turning it off.
I saw a blog stating to run these, but i have no idea if it will work for my version of oracle, or what it does: "tail -f /var/log/audit/audit.log | tee oracle.log
audit2allow -M oracle < oracle.log
semodule -i oracle.pp"
Thanks!, Ari
-----Inline Attachment Follows-----
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Cool, I'll set permissive on the box when I have a chance later this week and get back at you guys maybe what version the policy rpm i have installed and see what others have to say about the 'restorecon -vR /usr' command. Think I have a similar virtual box to test with too possibly earlier this week.
On 03/30/2010 06:26 PM, Arian wrote:
Cool, I'll set permissive on the box when I have a chance later this week and get back at you guys maybe what version the policy rpm i have installed and see what others have to say about the 'restorecon -vR /usr' command. Think I have a similar virtual box to test with too possibly earlier this week.
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Oracle is probably not using rpm to install its files. If it is using some kind of tar ball installer, then it probably is not setting the labels correct on install. Running restorecon on the installed files will fix the context. Oracle is supposedly working to improve their SELinux integration.
On Wed, Mar 31, 2010 at 09:22:07 -0400, Daniel J Walsh dwalsh@redhat.com wrote:
Oracle is probably not using rpm to install its files. If it is using some kind of tar ball installer, then it probably is not setting the labels correct on install. Running restorecon on the installed files will fix the context. Oracle is supposedly working to improve their SELinux integration.
Their client stuff does come in rpms. I didn't check the spec files to see if they were doing something odd, but I think things come out OK.
Arian:
Im not sure if anyone has had issues with oracle client to work with selinux, without turning it off.
We have also used Oracle's Instant Client RPM:s, a few different 10.* and 11.* versions . What we have found is that the are built so they need text relocations. On RHEL5 systems we run the following command when we kickstart them:
semanage fcontext -a -t textrel_shlib_t "/usr/lib/oracle/1...*/client.*/lib/lib.*.so"
selinux@lists.fedoraproject.org
-
Arian -
Bruno Wolff III -
Daniel J Walsh -
Dennis Gilmore -
Göran Uddeborg -
Vadym Chepkov