Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing ListRe: oracle policy
From: Daniel J Walsh <dwalsh_at_redhat.com>
Date: Fri, 04 May 2007 12:07:39 -0400
First off I have never run oracle (They don't like my company much :^) ... Lets start by looking at your file context file. Eliminate the version number from the file path. You can use a regular expression to handle this or you are going to have problems with 9.3 comes out. I like to minimize the number of context in the file context, The more files in the context the more likely you are to get one wrong. One general rule I use is if you domain does not need to modify a file/directory, you should use the system defaults. (Unless you want to prevent other confined domains from reading the files, for security purposes). So do you really need oracle_ro_t? Remove these /opt/oracle(/.*)? gen_context(system_u:object_r:oracle_ro_t,s0) /etc/oracle-9iR2(/.*)? gen_context(system_u:object_r:oracle_ro_t,s0) /etc/oracle-10gR2(/.*)? gen_context(system_u:object_r:oracle_ro_t,s0)
Add this
The only file that should be labeled oracle_exec_t is the domains entry point. Helper apps should be just labeled bin_t. Or even better break the helper apps and write policy for their specific tasks. But this is a lot more work. Your jar files should be labeled shlib_t so they will work on MLS/Strict policy machines. You should not specify lib_t if the system default would have been lib_t. As for the te file. You want to eliminate the entire require block from the file. Any of the types you are defining there should be removed and allow rules that use these types should be replaced with interfaces. For example allow oracle_t proc_t:file read; Should be replaced with kernel_read_system_state(oracle_t) I would bet oracle is using nsswitch so you can add auth_use_nsswitch(oracle_t) And eliminate a lot of other rules. Like (nscd, netlink_route_socket)
I like to avoid
And only have the transition happen in the init scripts. Transitioning directly from unconfined_t ends up with lots of avcs when users do stuff like confined_app >> ~/mylog Also you might be able to eliminate the ability to write to terminals by doing this. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.Received on Fri 4 May 2007 - 12:07:51 EDT |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |