* oracle policy
@ 2007-04-30 21:37 rob myers
2007-05-04 16:07 ` Daniel J Walsh
0 siblings, 1 reply; 7+ messages in thread
From: rob myers @ 2007-04-30 21:37 UTC (permalink / raw)
To: SELinux
[-- Attachment #1: Type: text/plain, Size: 709 bytes --]
hello
i am working on writing some SELinux policy that will confine oracle to
its own domain on a RHEL5 machine running targeted policy. my security
goal is to limit risk to the rest of the system from any potential
compromise of oracle. as far as i know, no such policy exists publicly
yet. i'd like to collaborate with anyone else that has an interest in
writing a similar policy for oracle. my initial efforts are attached.
tips, pointers, and constructive criticism requested!
one of the problems with writing a general oracle policy is that
different people may install the software in different locations. i've
chosen /opt/oracle/10.2.0, but maybe there is a more appropriate place
for it?
rob.
[-- Attachment #2: oracle.fc --]
[-- Type: text/plain, Size: 3333 bytes --]
#
# $Id: oracle.fc 885 2007-04-30 17:42:45Z rm153 $
#
# default oracle
/opt/oracle(/.*)? gen_context(system_u:object_r:oracle_ro_t,s0)
/opt/oracle/admin(/.*)? gen_context(system_u:object_r:oracle_config_t,s0)
/opt/oracle/admin/.*/?dump(/.*)? gen_context(user_u:object_r:oracle_log_t,s0)
/u0[0-9](/.*)? gen_context(system_u:object_r:oracle_db_t,s0)
# oracle 9iR2
/opt/oracle/product/9.2.0/bin/.* gen_context(system_u:object_r:oracle_exec_t,s0)
/opt/oracle/product/9.2.0/jre/1\.4\.[2-9]/bin/.* gen_context(system_u:object_r:oracle_exec_t,s0)
/opt/oracle/product/9.2.0/jre/1\.4\.[2-9]/lib/.* gen_context(system_u:object_r:lib_t,s0)
/opt/oracle/product/9.2.0(/.*)?\.jar gen_context(system_u:object_r:lib_t,s0)
/opt/oracle/product/9.2.0(/.*)?classes.*\.zip gen_context(system_u:object_r:lib_t,s0)
/opt/oracle/product/9.2.0(/.*)?(nls_charset11.zip|cvd.zip) gen_context(system_u:object_r:lib_t,s0)
/opt/oracle/product/9.2.0/lib/.* gen_context(system_u:object_r:lib_t,s0)
/opt/oracle/product/9.2.0/dbs(/.*)?lk.* gen_context(user_u:object_r:oracle_log_t,s0)
/opt/oracle/product/9.2.0/ctx/lib/.* gen_context(system_u:object_r:lib_t,s0)
/opt/oracle/product/9.2.0/ctx/bin/.* gen_context(system_u:object_r:oracle_exec_t,s0)
/opt/oracle/product/9.2.0/rdbms/audit(/.*)? gen_context(user_u:object_r:oracle_log_t,s0)
/opt/oracle/product/9.2.0/(hs|ldap|network|ctx|sysman|rdbms|demo|mgw)/(.*/)?log(/.*)? gen_context(user_u:object_r:oracle_log_t,s0)
/etc/oracle-9iR2(/.*)? gen_context(system_u:object_r:oracle_ro_t,s0)
/opt/oracle/product/9.2.0/lib/libclntsh.so.9.0 gen_context(system_u:object_r:texrel_shlib_t,s0)
/opt/oracle/product/9.2.0/lib/libjox9.so gen_context(system_u:object_r:texrel_shlib_t,s0)
# oracle 10gR2
/opt/oracle/product/10.2.0/bin/.* gen_context(system_u:object_r:oracle_exec_t,s0)
/opt/oracle/product/10.2.0/jre/1\.4\.[2-9]/bin/.* gen_context(system_u:object_r:oracle_exec_t,s0)
/opt/oracle/product/10.2.0/jre/1\.4\.[2-9]/lib/.* gen_context(system_u:object_r:lib_t,s0)
/opt/oracle/product/10.2.0(/.*)?\.jar gen_context(system_u:object_r:lib_t,s0)
/opt/oracle/product/10.2.0(/.*)?classes.*\.zip gen_context(system_u:object_r:lib_t,s0)
/opt/oracle/product/10.2.0(/.*)?(nls_charset11.zip|cvd.zip) gen_context(system_u:object_r:lib_t,s0)
/opt/oracle/product/10.2.0/lib/.* gen_context(system_u:object_r:lib_t,s0)
/opt/oracle/product/10.2.0/dbs(/.*)? gen_context(user_u:object_r:oracle_log_t,s0)
/opt/oracle/product/10.2.0/log(/.*)? gen_context(user_u:object_r:oracle_log_t,s0)
/opt/oracle/product/10.2.0/rdbms/audit(/.*)? gen_context(user_u:object_r:oracle_log_t,s0)
/opt/oracle/product/10.2.0/(hs|ldap|network|ctx|sysman|rdbms|demo|mgw)/(.*/)?log(/.*)? gen_context(user_u:object_r:oracle_log_t,s0)
/etc/oracle-10gR2(/.*)? gen_context(system_u:object_r:oracle_ro_t,s0)
/var/tmp/.oracle(/.*)? gen_context(user_u:object_r:oracle_tmp_t,s0)
/opt/oracle/product/10.2.0/lib/libclntsh.so.10.1 gen_context(system_u:object_r:texrel_shlib_t,s0)
/opt/oracle/product/10.2.0/lib/libjox10.so gen_context(system_u:object_r:texrel_shlib_t,s0)
[-- Attachment #3: oracle.if --]
[-- Type: text/plain, Size: 1515 bytes --]
## <summary>Oracle policy</summary>
## <desc>
## <p>
## Oracle policy $Id: oracle.if 885 2007-04-30 17:42:45Z rm153 $
## </p>
## </desc>
############################################################
## <summary>
## Send and receive TCP traffic on an oracle port
## </summary>
## <desc>
## <p>
## Use this interface to send and receive TCP traffic on
## the oracle port
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access
## </summary>
## </param>
#
interface(`corenet_tcp_sendrecv_oracle_port',`
gen_require(`
type oracle_port_t;
')
allow $1 oracle_port_t:tcp_socket { send_msg recv_msg };
')
############################################################
## <summary>
## Bind to a TCP oracle port
## </summary>
## <desc>
## <p>
## Use this interface to bind to a TCP oracle port
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access
## </summary>
## </param>
#
interface(`corenet_tcp_bind_oracle_port',`
gen_require(`
type oracle_port_t;
')
allow $1 oracle_port_t:tcp_socket name_bind;
')
############################################################
## <summary>
## Connect to an oracle TCP port
## </summary>
## <desc>
## <p>
## Use this interface to connect to an oracle TCP port
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access
## </summary>
## </param>
#
interface(`corenet_tcp_connect_oracle_port',`
gen_require(`
type oracle_port_t;
')
allow $1 oracle_port_t:tcp_socket name_connect;
')
[-- Attachment #4: oracle.te --]
[-- Type: text/plain, Size: 5238 bytes --]
policy_module(oracle,1.0.0)
########################################
#
# $Id: oracle.te 885 2007-04-30 17:42:45Z rm153 $
#
require {
type snmp_port_t;
type nscd_var_run_t;
type fs_t;
type proc_t;
type initrc_tmp_t;
class tcp_socket name_connect;
class file { create_file_perms execute_no_trans };
class dir { create_dir_perms };
class fifo_file { rw_file_perms };
class process { setpgid getsched execmem };
class sem create_sem_perms;
class shm create_shm_perms;
class fd use;
class netlink_route_socket create_netlink_socket_perms;
class unix_stream_socket { create_stream_socket_perms connectto };
class tcp_socket create_stream_socket_perms;
class sock_file { create_file_perms };
class udp_socket create_socket_perms;
class filesystem getattr;
}
type oracle_t;
domain_type(oracle_t)
## Type for temporary files
type oracle_tmp_t;
files_tmp_file(oracle_tmp_t)
allow oracle_t oracle_tmp_t:file create_file_perms;
allow oracle_t oracle_tmp_t:dir create_dir_perms;
files_tmp_filetrans(oracle_t,oracle_tmp_t,{file dir})
## Type for log files
type oracle_log_t;
logging_log_file(oracle_log_t)
allow oracle_t oracle_log_t:file { unlink create rw_file_perms setattr };
allow oracle_t oracle_log_t:dir { setattr rw_dir_perms };
logging_log_filetrans(oracle_t,oracle_log_t,{file dir})
## Type for configuration files
type oracle_config_t;
files_config_file(oracle_config_t)
allow oracle_t oracle_config_t:file { getattr read create_file_perms };
allow oracle_t oracle_config_t:dir { create_dir_perms };
## Type for database files
type oracle_db_t;
files_config_file(oracle_db_t)
allow oracle_t oracle_db_t:file { getattr read create_file_perms };
allow oracle_t oracle_db_t:dir { create_dir_perms };
## Type for read only files
type oracle_ro_t;
files_config_file(oracle_ro_t)
files_read_all_files(oracle_ro_t)
allow oracle_t oracle_ro_t:dir { search getattr };
allow oracle_t oracle_ro_t:file { read getattr };
## Type for the daemon
type oracle_exec_t;
files_type(oracle_exec_t)
domain_entry_file(oracle_t, oracle_exec_t)
init_system_domain(oracle_t, oracle_exec_t)
# read /proc
kernel_getattr_proc_files(oracle_t)
kernel_read_proc_symlinks(oracle_t)
# localization support
miscfiles_read_localization(oracle_t)
###
## networking
#
# define oracle ports
type oracle_port_t;
corenet_port_type(oracle_port_t)
#
# you cannot create ports in a policy module so use semanage instead
# - https://www.redhat.com/archives/fedora-selinux-list/2007-April/msg00078.html
# portcon tcp 1521 system_u:object_r:oracle_port_t:s0;
# semanage port -a -t oracle_port_t -p tcp 1521
# allow sending and receiving on oracle ports
corenet_tcp_bind_oracle_port(oracle_t)
corenet_tcp_sendrecv_oracle_port(oracle_t)
corenet_tcp_connect_oracle_port(oracle_t)
# allow oracle to send traffic to all nodes
corenet_non_ipsec_sendrecv(oracle_t)
corenet_tcp_bind_all_nodes(oracle_t)
corenet_udp_bind_all_nodes(oracle_t)
corenet_tcp_sendrecv_all_if(oracle_t)
corenet_udp_sendrecv_all_if(oracle_t)
corenet_tcp_sendrecv_all_nodes(oracle_t)
corenet_udp_sendrecv_all_nodes(oracle_t)
corenet_tcp_connect_generic_port(oracle_t)
# allow oracle to read networking configuration
sysnet_read_config(oracle_t)
# allow oracle to query ldap server
sysnet_use_ldap(oracle_t)
###
## executables
#
corecmd_exec_bin(oracle_t)
###
## acces to shared libraries
#
libs_use_ld_so(oracle_t)
libs_use_shared_libs(oracle_t)
# oracle can read sysctl settings
kernel_read_all_sysctls(oracle_t)
###
## Read /etc.
#
files_read_etc_files(oracle_t)
###
## read (and write) /dev/zero
#
dev_rw_zero(oracle_t)
###
## Allow read and write to terminals
#
term_use_all_user_ptys(oracle_t)
###
## Allow read of random devices
#
dev_read_rand(oracle_t)
dev_read_urand(oracle_t)
###
## Allow read and writing to shared memory
#
fs_rw_tmpfs_files(oracle_t)
###
## automatically transition to oracle_t each time oracle_exec_t is run
#
ifdef(`targeted_policy', `
domain_auto_trans(unconfined_t, oracle_exec_t, oracle_t)
')
###
## additional oracle related permissions
#
allow oracle_t self:file { rw_file_perms };
allow oracle_t self:fifo_file { rw_file_perms };
allow oracle_t self:process { setpgid getsched };
allow oracle_t self:sem create_sem_perms;
allow oracle_t self:shm create_shm_perms;
allow oracle_t self:fd use;
allow oracle_t self:netlink_route_socket create_netlink_socket_perms;
allow oracle_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow oracle_t oracle_tmp_t:file execute;
allow oracle_t oracle_tmp_t:sock_file create_file_perms;
allow oracle_t self:udp_socket create_socket_perms;
allow oracle_t self:tcp_socket create_stream_socket_perms;
allow oracle_t fs_t:filesystem getattr;
allow oracle_t nscd_var_run_t:dir r_dir_perms;
allow oracle_t self:process execmem;
allow oracle_t oracle_exec_t:file execute_no_trans;
allow oracle_t proc_t:file read;
allow oracle_t initrc_tmp_t:file r_file_perms;
###
## don't audit
#
corenet_dontaudit_send_snmp_server_packets(oracle_t)
corenet_dontaudit_send_snmp_client_packets(oracle_t)
dontaudit oracle_t snmp_port_t:tcp_socket name_connect;
[-- Attachment #5: oracle-10gR2.spec --]
[-- Type: text/plain, Size: 21206 bytes --]
%define short_version 10.2.0
%define oracle_base /opt/oracle
%define oracle_uid 601
%define dba_gid 604
# Set to 1 to apply a critical patch update
%define apply_cpu 1
%define with_selinux 1
Summary: Oracle Database
Name: oracle-10gR2
Version: %{short_version}.3
Release: stl.9
License: Oracle Technology Network Development License
Group: Applications/Databases
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-buildroot
AutoReqProv: no
Provides: oracle
%ifarch x86_64
Source0: 10201_database_linux_x86_64.tar.bz2
Source1: p5337014_10203_Linux-x86-64.zip
%if %apply_cpu
Source2: p5901891_10203_Linux-x86-64.zip
%endif
%else
Source0: 10201_database_linux32.zip
Source1: p5337014_10203_LINUX.zip
%if %apply_cpu
Source2: p5901891_10203_LINUX.zip
%endif
%endif
Source10: dbstart.stl
Source11: dbshut.stl
Source12: %{name}-custom.rsp
Source13: %{name}-patchset.rsp
%if %{with_selinux}
# SELinux policy
Source20: oracle.if
Source21: oracle.te
Source22: oracle.fc
%endif
URL: http://www.oracle.com
BuildPreReq: jpackage-utils >= 0:1.5
%if %{with_selinux}
BuildPreReq: selinux-policy-devel >= 0:2.4.6-64
%endif
%description
Oracle Database 10gR2 is the first database designed for enterprise grid computing, the most flexible and cost-effective way to manage enterprise information. It cuts costs of management while providing the highest possible quality of service. In addition to numerous quality and performance enhancements, Oracle Database 10gR2 significantly reduces the costs of managing the IT environment, with a simplified install, greatly reduced configuration and management requirements, and automatic performance diagnosis and SQL tuning. These and other automated management capabilities help improve DBA and developer productivity and efficiency.
%prep
#
# Remind builder that this rpm clobbers files on the filesystem
#
echo "Warning: current oracle_base %{oracle_base} is about to be destroyed!"
sleep 15
#
# check environment
#
_UID=`id -u`
if [ "${_UID}" != "%{oracle_uid}" ]; then
echo "Warning: current uid does not match oracle_uid!"
exit 255
fi
_GID=`id -g`
if [ "${_GID}" != "%{dba_gid}" ]; then
echo "Warning: current gid does not match dba_gid!"
exit 255
fi
if [ "${HOME}" != "%{oracle_base}" ]; then
echo "Warning: current home directory does not match oracle_base!"
exit 255
fi
if [ ! -r /etc/oraInst.loc ]; then
echo "Warning: opatch will fail if it cannot find oraInventory! (/etc/oraInst.loc)"
exit 255
fi
#
# prepare environment
#
export ORACLE_BASE=%{oracle_base}
export ORACLE_HOME=${ORACLE_BASE}/product/%{short_version}
#
# extract the zip
#
%if %apply_cpu
%setup -D -q -b 1 -b 2 -n database
%else
%setup -D -q -b 1 -n database
%endif
#
# install the response file, temporarily, with correct permissions
#
mkdir -p $RPM_BUILD_ROOT
install -p -m 700 %{SOURCE12} $RPM_BUILD_ROOT/response_file.rsp
install -p -m 700 %{SOURCE13} $RPM_BUILD_ROOT/patchset.rsp
#
# fix paths in the response file
#
perl -p -i -e 's@%FROM_LOCATION%@%{_builddir}/database/stage/products.xml@g' $RPM_BUILD_ROOT/response_file.rsp
perl -p -i -e 's@%ORACLE_BASE%@%{oracle_base}@g' $RPM_BUILD_ROOT/response_file.rsp
perl -p -i -e 's@%SHORT_VERSION%@%{short_version}@g' $RPM_BUILD_ROOT/response_file.rsp
#
# run the installer
#
./runInstaller -silent -noconfig -responseFile $RPM_BUILD_ROOT/response_file.rsp -force -ignoreSysPrereqs -waitforcompletion
#
# run the patch installer
#
(cd ../Disk1 ; ./runInstaller -silent -noconfig -responseFile $RPM_BUILD_ROOT/patchset.rsp -force -ignoreSysPrereqs -waitforcompletion)
#
# run the CPU installer
#
%if %apply_cpu
perl -p -i -e 's@-m31@-m32@g' ${ORACLE_HOME}/bin/genoccish
(cd ../5901891 ; ${ORACLE_HOME}/OPatch/opatch apply)
%endif
#
# clean up install scripts
#
rm -f %{oracle_base}/product/%{short_version}/root.sh
rm -f %{oracle_base}/product/%{short_version}/root.sh.old
rm -f %{oracle_base}/product/%{short_version}/oraInst.loc
#
# fix permissions
#
find %{oracle_base} -exec chmod a-s {} \;
find %{oracle_base}/product/%{short_version} -type f -name '*.a' -exec chmod 644 {} \;
find %{oracle_base}/product/%{short_version} -type f -name '*.jar' -exec chmod 644 {} \;
find %{oracle_base}/product/%{short_version} -type f -name '*.so' -exec chmod 755 {} \;
find %{oracle_base}/product/%{short_version} -type f -name '*.so.*.?' -exec chmod 755 {} \;
find %{oracle_base}/product/%{short_version} -type f -name '*.msb' -exec chmod 644 {} \;
find %{oracle_base}/product/%{short_version} -type f -name '*.nlb' -exec chmod 644 {} \;
find %{oracle_base}/product/%{short_version} -type f -name '*.dat' -exec chmod 644 {} \;
#
# remove empty files
#
find %{oracle_base}/product/%{short_version} -type f -size 0b -exec rm -f {} \;
%build
%if %{with_selinux}
# build SELinux Policy Module
mkdir -p policy
pushd policy
cp %{SOURCE20} %{SOURCE21} %{SOURCE22} .
make -f /usr/share/selinux/devel/Makefile NAME=targeted
mv oracle.pp oracle-targeted.pp
make -f /usr/share/selinux/devel/Makefile NAME=strict
mv oracle.pp oracle-strict.pp
popd
%endif
%install
rm -rf $RPM_BUILD_ROOT
mkdir $RPM_BUILD_ROOT
%if %{with_selinux}
# install SELinux Policy Modules
install -m 0755 -d $RPM_BUILD_ROOT%{_datadir}/selinux/targeted
install -m 644 policy/oracle-targeted.pp $RPM_BUILD_ROOT%{_datadir}/selinux/targeted/oracle.pp
install -m 0755 -d $RPM_BUILD_ROOT%{_datadir}/selinux/strict
install -m 644 policy/oracle-strict.pp $RPM_BUILD_ROOT%{_datadir}/selinux/strict/oracle.pp
%endif
#
# create the init script
#
mkdir -p $RPM_BUILD_ROOT/%{_initrddir}
cat > $RPM_BUILD_ROOT/%{_initrddir}/%{name} << _____EOF_____
#!/bin/sh
#
# Init script for the Oracle Instance and Listener
#
# chkconfig: 345 91 19
# description: Startup/Shutdown Oracle Instance and Listener
###########################
# usage: %{name} { restart | start | stop }
#
# NOTES:
# - Must be run as root because this script su's to oracle
# - Start the listener before the database so that it auto-registers
# immediately, rather than waiting a few minutes
# - should autotransition to oracle domain by using daemon function
#
###########################
# Source function library.
if [ -x /etc/rc.d/init.d/functions ]; then
. /etc/rc.d/init.d/functions
fi
#############
# FUNCTIONS #
#############
#
# Start oracle and the listener
#
start () {
lsnrstart
if [ -x /etc/rc.d/init.d/functions ]; then
daemon --user oracle dbstart ALL
else
su - oracle -c "dbstart ALL"
fi
}
#
# Stop oracle and the listener
#
stop () {
lsnrstop
if [ -x /etc/rc.d/init.d/functions ]; then
daemon --user oracle dbshut ALL
else
su - oracle -c "dbshut ALL"
fi
}
#
# Start the listener
#
lsnrstart () {
if [ -x /etc/rc.d/init.d/functions ]; then
daemon --user oracle "lsnrctl start"
else
su - oracle -c "lsnrctl start"
fi
}
#
# Stop the listener
#
lsnrstop () {
if [ -x /etc/rc.d/init.d/functions ]; then
daemon --user oracle "lsnrctl stop"
else
su - oracle -c "lsnrctl stop"
fi
}
########
# MAIN #
########
case "\$1" in
'start')
start
;;
'restart')
stop
start
;;
'stop')
stop
;;
*)
echo "Usage: \$0 { restart | start | stop }"
;;
esac
_____EOF_____
#
# create the oraInst.loc file, with correct permissions
#
mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/%{name}
cat > $RPM_BUILD_ROOT/%{_sysconfdir}/%{name}/oraInst.loc << _EOF_
inventory_loc=%{oracle_base}/product/%{short_version}/oraInventory
inst_group=
_EOF_
chmod 664 $RPM_BUILD_ROOT/%{_sysconfdir}/%{name}/oraInst.loc
chown oracle:dba $RPM_BUILD_ROOT/%{_sysconfdir}/%{name}/oraInst.loc
#
# create the oratab file, with correct permissions
#
mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/%{name}
cat > $RPM_BUILD_ROOT/%{_sysconfdir}/%{name}/oratab << _EOF_
#
# This file is used by ORACLE utilities. It is created by root.sh
# and updated by the Database Configuration Assistant when creating
# a database.
# A colon, ':', is used as the field terminator. A new line terminates
# the entry. Lines beginning with a pound sign, '#', are comments.
#
# Entries are of the form:
# $ORACLE_SID:$ORACLE_HOME:<N|Y>:
#
# The first and second fields are the system identifier and home
# directory of the database respectively. The third field indicates
# to the dbstart utility that the database should , "Y", or should not,
# "N", be brought up at system boot time.
#
# Multiple entries with the same $ORACLE_SID are not allowed.
#
*:%{oracle_base}/product/%{short_version}:Y
_EOF_
#
# move installed files to build root
#
DIR=`dirname %{oracle_base}`
mkdir -p $RPM_BUILD_ROOT/${DIR}
mv %{oracle_base} $RPM_BUILD_ROOT/${DIR}
chown oracle:dba $RPM_BUILD_ROOT/${DIR}
# install startup scripts that require a sid
mv $RPM_BUILD_ROOT/%{oracle_base}/product/%{short_version}/bin/dbstart $RPM_BUILD_ROOT/%{oracle_base}/product/%{short_version}/bin/dbstart.orig
install -p -m 755 %{SOURCE10} $RPM_BUILD_ROOT/%{oracle_base}/product/%{short_version}/bin/dbstart
mv $RPM_BUILD_ROOT/%{oracle_base}/product/%{short_version}/bin/dbshut $RPM_BUILD_ROOT/%{oracle_base}/product/%{short_version}/bin/dbshut.orig
install -p -m 755 %{SOURCE11} $RPM_BUILD_ROOT/%{oracle_base}/product/%{short_version}/bin/dbshut
# set up profile for all users
mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/profile.d
cat > $RPM_BUILD_ROOT/etc/profile.d/%{name}.sh << __EOF__
if [ -z "\$ORACLE_BASE" ]; then
export ORACLE_BASE=%{oracle_base}
fi
if [ -z "\$ORACLE_HOME" ]; then
export ORACLE_HOME=\${ORACLE_BASE}/product/%{short_version}
fi
if [ -z "\$ORACLE_SID" ]; then
export ORACLE_SID=maverick
fi
if [ -z "\$ORACLE_TERM" ]; then
export ORACLE_TERM=xterm
fi
if [ -z "\$TNS_ADMIN" ]; then
export TNS_ADMIN=\${ORACLE_BASE}/admin/system/tnsadmin
fi
if [ -z "\$NLS_LANG" ]; then
export NLS_LANG=AMERICAN
fi
if [ -z "\$ORA_NLS33" ]; then
export ORA_NLS33=\${ORACLE_HOME}/ocommon/nls/admin/data
fi
myldpathmunge () {
if [ -z "\$LD_LIBRARY_PATH" ] ; then
LD_LIBRARY_PATH=\$1
else
if ! echo \$LD_LIBRARY_PATH | /bin/egrep -q "(^|:)\$1($|:)" ; then
if [ "\$2" = "after" ] ; then
LD_LIBRARY_PATH=\$LD_LIBRARY_PATH:\$1
else
LD_LIBRARY_PATH=\$1:\$LD_LIBRARY_PATH
fi
fi
fi
}
mypathmunge () {
if ! echo \$PATH | /bin/egrep -q "(^|:)\$1($|:)" ; then
if [ "\$2" = "after" ] ; then
PATH=\$PATH:\$1
else
PATH=\$1:\$PATH
fi
fi
}
mypathmunge \$ORACLE_HOME/bin:\$ORACLE_HOME/lbin after
myldpathmunge \${ORACLE_HOME}/lib:\${LD_LIBRARY_PATH} before
export LD_LIBRARY_PATH PATH
unset mypathmunge
unset myldpathmunge
__EOF__
%clean rm -rf $RPM_BUILD_ROOT
%package -n %{name}-rdbms
Summary: Oracle Database RDBMS
Group: Applications/Databases
AutoReqProv: no
%description -n %{name}-rdbms
Oracle Database 10gR2 is the first database designed for enterprise grid computing, the most flexible and cost-effective way to manage enterprise information. It cuts costs of management while providing the highest possible quality of service. In addition to numerous quality and performance enhancements, Oracle Database 10gR2 significantly reduces the costs of managing the IT environment, with a simplified install, greatly reduced configuration and management requirements, and automatic performance diagnosis and SQL tuning. These and other automated management capabilities help improve DBA and developer productivity and efficiency.
%files -n %{name}-rdbms
%defattr(-,oracle,dba,0755)
%{oracle_base}/product/%{short_version}
%config(noreplace) %{_sysconfdir}/%{name}/oratab
%config %{_sysconfdir}/%{name}/oraInst.loc
%dir %{_sysconfdir}/%{name}
%config %attr(0770,root,dba) %{_initrddir}/%{name}
%config %attr(0775,root,dba) %{_sysconfdir}/profile.d/%{name}.sh
%if %{with_selinux}
%attr(0644,root,root) %{_datadir}/selinux/targeted/oracle.pp
%attr(0644,root,root) %{_datadir}/selinux/strict/oracle.pp
%endif
%pre -n %{name}-rdbms
OUTPUT=`grep dba /etc/group | tail -1 | awk -F: '{print $1}' `
if [ -z ${OUTPUT} ]; then
groupadd -r -g %{dba_gid} -o dba
fi
OUTPUT=`grep oracle /etc/passwd | tail -1 | awk -F: '{print $1}' `
if [ -z ${OUTPUT} ]; then
useradd -d %{oracle_base} -r -c Oracle -g dba -u %{oracle_uid} -o oracle -s /bin/bash
else
# oracle may be installed, so shutdown any existing instances
(service oracle stop ; exit 0) > /dev/null 2>&1
(service oracle-9i stop ; exit 0) > /dev/null 2>&1
(service oracle-9iR2 stop ; exit 0) > /dev/null 2>&1
(service oracle-10g stop ; exit 0) > /dev/null 2>&1
(service oracle-10gR2 stop ; exit 0) > /dev/null 2>&1
fi
%post -n %{name}-rdbms
OUTPUT=`grep kernel.shmmax /etc/sysctl.conf | awk '{print $1}' `
if [ -z ${OUTPUT} ]; then
echo "# increase shmmax for oracle" >> /etc/sysctl.conf
echo "kernel.shmmax = 2147483648" >> /etc/sysctl.conf
sysctl -w kernel.shmmax=2147483648
fi
OUTPUT=`grep fs.file-max /etc/sysctl.conf | awk '{print $1}' `
if [ -z ${OUTPUT} ]; then
echo "# increase file-max for oracle" >> /etc/sysctl.conf
echo "fs.file-max = 65536" >> /etc/sysctl.conf
sysctl -w fs.file-max=65536
fi
OUTPUT=`grep kernel.sem /etc/sysctl.conf | awk '{print $1}' `
if [ -z ${OUTPUT} ]; then
echo "# increase for oracle" >> /etc/sysctl.conf
echo "kernel.sem = 250 32000 100 128" >> /etc/sysctl.conf
sysctl -w kernel.sem="250 32000 100 128"
fi
OUTPUT=`grep net.core.rmem_default /etc/sysctl.conf | awk '{print $1}' `
if [ -z ${OUTPUT} ]; then
echo "# increase default socket receive buffer size for oracle" >> /etc/sysctl.conf
echo "net.core.rmem_default = 262144" >> /etc/sysctl.conf
sysctl -w net.core.rmem_default=262144
fi
OUTPUT=`grep net.core.rmem_max /etc/sysctl.conf | awk '{print $1}' `
if [ -z ${OUTPUT} ]; then
echo "# increase maximum socket receive buffer size for oracle" >> /etc/sysctl.conf
echo "net.core.rmem_max = 262144" >> /etc/sysctl.conf
sysctl -w net.core.rmem_max=262144
fi
OUTPUT=`grep net.core.wmem_default /etc/sysctl.conf | awk '{print $1}' `
if [ -z ${OUTPUT} ]; then
echo "# increase default socket send buffer size for oracle" >> /etc/sysctl.conf
echo "net.core.wmem_default = 262144" >> /etc/sysctl.conf
sysctl -w net.core.wmem_default=262144
fi
OUTPUT=`grep net.core.wmem_max /etc/sysctl.conf | awk '{print $1}' `
if [ -z ${OUTPUT} ]; then
echo "# increase maximum socket send buffer size for oracle" >> /etc/sysctl.conf
echo "net.core.wmem_max = 262144" >> /etc/sysctl.conf
sysctl -w net.core.wmem_max=262144
fi
# add oracle startup script to chkconfig, but turn off
chkconfig --add %{name}
chkconfig --levels 345 %{name} off
# add ojdbc14.jar to java shared dir
ORACLE_HOME=%{oracle_base}/product/%{short_version}
if [ ! -L %{_javadir}/ojdbc14-%{version}.jar ]; then
ln -s ${ORACLE_HOME}/jdbc/lib/ojdbc14.jar %{_javadir}/ojdbc14-%{version}.jar
fi
# make sure temp directories exist with correct perms
mkdir -p /var/tmp/.oracle
chmod 01777 /var/tmp/.oracle
chown root /var/tmp/.oracle
# make sure a /var/opt/oracle directory exists, but don't add it as a
# file to the rpm as it may conflict with other versions of oracle
if [ ! -d /var/opt/oracle ]; then
mkdir -p /var/opt/oracle
chown oracle:dba /var/opt/oracle
fi
# needs to exist, but not as a file in the rpm because of version conflicts
if [ ! -r %{_sysconfdir}/oratab ]; then
ln -s %{_sysconfdir}/%{name}/oratab %{_sysconfdir}/oratab
fi
# needs to exist, but not as a file in the rpm because of version conflicts
if [ ! -r %{_sysconfdir}/oraInst.loc ]; then
ln -s %{_sysconfdir}/%{name}/oraInst.loc %{_sysconfdir}/oraInst.loc
fi
# needs to exist, but not as a file in the rpm because of version conflicts
if [ ! -r %{_sysconfdir}/oracle ]; then
ln -s %{_sysconfdir}/%{name} %{_sysconfdir}/oracle
fi
%if %{with_selinux}
#
# SELinux
#
SELINUXTYPE=`grep ^SELINUXTYPE /etc/selinux/config | sed 's/^.*=//g'`
PP="%{_datadir}/selinux/${SELINUXTYPE}/oracle.pp"
if [ -e ${PP} ]; then
# remove oracle ports if they are loaded
SEPORT_STATUS=`semanage port -l | grep -c ^oracle`
test ${SEPORT_STATUS} -gt 0 && semanage port -d -t oracle_port_t -p tcp 1521 || :
# unload oracle policy package if it is loaded
SEMOD_STATUS=`semodule -l | grep -c ^oracle`
test ${SEMOD_STATUS} -gt 0 && semodule -n -r oracle || :
# load oracle policy package
semodule -i ${PP} || :
# add oracle network ports since they cannot be included in a policy module
semanage port -a -t oracle_port_t -p tcp 1521
# restore oracle contexts
/sbin/restorecon -R -v %{oracle_base}
/sbin/restorecon -R -v /u0?
/sbin/restorecon -R -v /etc
/sbin/restorecon -R -v /var/tmp/.oracle
fi
%endif
%preun -n %{name}-rdbms
# shutdown existing oracle-10gR2 instances
(service %{name} stop ; exit 0) > /dev/null 2>&1
if [ -L %{_javadir}/ojdbc14-%{version}.jar ]; then
rm -f %{_javadir}/ojdbc14-%{version}.jar
fi
%postun -n %{name}-rdbms
%if %{with_selinux}
if [ $1 -eq 0 ]; then # rpm -e cases
# remove oracle ports if they are loaded
SEPORT_STATUS=`semanage port -l | grep -c ^oracle`
test ${SEPORT_STATUS} -gt 0 && semanage port -d -t oracle_port_t -p tcp 1521 || :
# unload oracle policy package if it is loaded
SEMOD_STATUS=`semodule -l | grep -c ^oracle`
test ${SEMOD_STATUS} -gt 0 && semodule -r oracle || :
elif [ $1 -eq 1 ]; then # rpm -Uvh cases
# don't do anything
:
fi
%endif
%changelog
* Mon Apr 30 2007 Rob Myers <rob.myers@gtri.gatech.edu> 10gR2-10.2.0.3-stl.9
- SELinux policy cleanup
- add with_selinux flag
* Fri Apr 27 2007 Rob Myers <rob.myers@gtri.gatech.edu> 10gR2-10.2.0.3-stl.7
- spec clean ups, permission fixes
- don't need to set a listener password anymore
- fix invalid postun script
* Thu Apr 26 2007 Rob Myers <rob.myers@gtri.gatech.edu> 10gR2-10.2.0.3-stl.5
- many, many fixes
* Wed Apr 25 2007 Rob Myers <rob.myers@gtri.gatech.edu> 10gR2-10.2.0.3-stl.4
- build an initial selinux policy module which will require much refinement
- change oracle_base to /opt/oracle
- make home directory mode 0755
* Tue Apr 24 2007 Rob Myers <rob.myers@gtri.gatech.edu> 10gR2-10.2.0.3-stl.3
- rebuild with CPUAPR2007 (#5901891)
* Wed Jan 24 2007 Rob Myers <rob.myers@gtri.gatech.edu> 10gR2-10.2.0.3-stl.2
- add patch 5671740 for INCOMPLETE CALL STACK FOR LINUX 64-BIT WITH 2.6.9 KERNEL
* Wed Jan 24 2007 Rob Myers <rob.myers@gtri.gatech.edu> 10gR2-10.2.0.3-stl.1
- update to 10.2.0.3
* Fri Oct 20 2006 Rob Myers <rob.myers@gtri.gatech.edu> 10gR2-10.2.0.2-stl.8
- rebuild with CPUOCT2006
* Fri Aug 4 2006 Rob Myers <rob.myers@gtri.gatech.edu> 10gR2-10.2.0.2-stl.7
- rebuild with CPUJUL2006
- make /etc/oraInst.loc a prerequisite; moving oraInventoy becomes a non-issue
* Wed Jun 21 2006 Rob Myers <rob.myers@gtri.gatech.edu> 10gR2-10.2.0.2-stl.6
- rebuild with 10.2.0.2
- fix: allow dba to modify profile.d entry
- fix: permissions so that users not in dba group can use oracle apps
- fix: add oracle user with dba as primary group
- fix: add multiline to init script
* Mon Oct 31 2005 Rob Myers <rob.myers@gtri.gatech.edu> 10gR2-10.2.0.1-stl.7
- rebuild for x86
* Wed Oct 26 2005 Rob Myers <rob.myers@gtri.gatech.edu> 10gR2-10.2.0.1-stl.6
- rebuild for x86_64
- changed TNS_ADMIN to ~oracle/admin/system/tnsadmin
- use _javadir from jpackage-utils
- move oraInventory to version specific location
* Thu Oct 06 2005 Rob Myers <rob.myers@gtri.gatech.edu> 10gR2-10.2.0.1-stl.5
- fix default permissions
* Tue Jul 26 2005 Rob Myers <rob.myers@gtri.gatech.edu> 10gR2-10.2.0.1-stl.4
- change oracle_base to /home/oracle
- miscellaneous cleanup
* Mon Jul 25 2005 Rob Myers <rob.myers@gtri.gatech.edu> 10gR2-10.2.0.1-stl.3
- switch to responsefile install
* Thu Jul 21 2005 Rob Myers <rob.myers@gtri.gatech.edu> 10gR2-10.2.0.1-stl.1
- update to 10gR2
- add sysctl's
- make init script work better with SELinux
* Tue Apr 12 2005 Rob Myers <rob.myers@gtri.gatech.edu> 10g-10.1.0.4-stl.1
- upgrade to 10.1.0.4
- convert ORACLE_HOME to short_version (10.1.0)
- documented install options
- no x86_64 version yet
* Mon Apr 11 2005 Rob Myers <rob.myers@gtri.gatech.edu> 10g-10.1.0.3-stl.6
- fix changelog date
- fix oracle.sh script
* Mon Apr 11 2005 Rob Myers <rob.myers@gtri.gatech.edu> 10g-10.1.0.3-stl.5
- sync with oracle-9iR2
* Tue Jan 25 2005 Rob Myers <rob.myers@gtri.gatech.edu> 10g-10.1.0.3-stl.4
- symlinks for stuff in /etc/
* Tue Jan 25 2005 Rob Myers <rob.myers@gtri.gatech.edu> 10g-10.1.0.3-stl.3
- fix error in postinstall
- add /var/opt/oracle
- do not add oracle driver to tomcat's common path
* Tue Jan 25 2005 Rob Myers <rob.myers@gtri.gatech.edu> 10g-10.1.0.3-stl.2
- move oracle to oracle-10g everywhere to prevent conflicts
- link ojdbc14.jar to java share
- make arch specific
- fix quotes in kernel.sem parameters
- clean up scriptlets
* Fri Jan 21 2005 Rob Myers <rob.myers@gtri.gatech.edu> 10g-10.1.0.3-stl.1
- upgrade to 10.1.0.3
- lots of cleanup
- still need to get zimmer to rewrite dbstart/dbshut to specify sids
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: oracle policy
2007-04-30 21:37 oracle policy rob myers
@ 2007-05-04 16:07 ` Daniel J Walsh
2007-07-02 22:37 ` rob myers
0 siblings, 1 reply; 7+ messages in thread
From: Daniel J Walsh @ 2007-05-04 16:07 UTC (permalink / raw)
To: rob myers; +Cc: SELinux
rob myers wrote:
> hello
>
> i am working on writing some SELinux policy that will confine oracle to
> its own domain on a RHEL5 machine running targeted policy. my security
> goal is to limit risk to the rest of the system from any potential
> compromise of oracle. as far as i know, no such policy exists publicly
> yet. i'd like to collaborate with anyone else that has an interest in
> writing a similar policy for oracle. my initial efforts are attached.
> tips, pointers, and constructive criticism requested!
>
> one of the problems with writing a general oracle policy is that
> different people may install the software in different locations. i've
> chosen /opt/oracle/10.2.0, but maybe there is a more appropriate place
> for it?
>
> rob.
>
First off I have never run oracle (They don't like my company much :^) ...
Lets start by looking at your file context file.
Eliminate the version number from the file path. You can use a regular
expression to handle this or you are going to have problems with 9.3
comes out.
I like to minimize the number of context in the file context, The more
files in the context the more likely you are to get one wrong.
One general rule I use is if you domain does not need to modify a
file/directory, you should use the system defaults. (Unless you want to
prevent other confined domains from reading the files, for security
purposes). So do you really need oracle_ro_t?
Remove these
/opt/oracle(/.*)? gen_context(system_u:object_r:oracle_ro_t,s0)
/etc/oracle-9iR2(/.*)?
gen_context(system_u:object_r:oracle_ro_t,s0)
/etc/oracle-10gR2(/.*)?
gen_context(system_u:object_r:oracle_ro_t,s0)
Add this
files_read_usr_files(oracle_t)
The only file that should be labeled oracle_exec_t is the domains entry
point. Helper apps should be just labeled bin_t. Or even better break
the helper apps and write policy for their specific tasks. But this is
a lot more work.
Your jar files should be labeled shlib_t so they will work on MLS/Strict
policy machines.
You should not specify lib_t if the system default would have been lib_t.
As for the te file. You want to eliminate the entire require block from
the file. Any of the types you are defining there should be removed and
allow rules that use these types should be replaced with interfaces.
For example
allow oracle_t proc_t:file read;
Should be replaced with
kernel_read_system_state(oracle_t)
I would bet oracle is using nsswitch so you can add
auth_use_nsswitch(oracle_t)
And eliminate a lot of other rules. Like (nscd, netlink_route_socket)
I like to avoid
domain_auto_trans(unconfined_t, oracle_exec_t, oracle_t)
And only have the transition happen in the init scripts. Transitioning
directly from unconfined_t ends up with lots of avcs when users do stuff
like
confined_app >> ~/mylog
Also you might be able to eliminate the ability to write to terminals by
doing this.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: oracle policy
2007-05-04 16:07 ` Daniel J Walsh
@ 2007-07-02 22:37 ` rob myers
2007-07-03 17:31 ` Daniel J Walsh
2007-07-03 17:34 ` Daniel J Walsh
0 siblings, 2 replies; 7+ messages in thread
From: rob myers @ 2007-07-02 22:37 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: SELinux
[-- Attachment #1: Type: text/plain, Size: 2818 bytes --]
On Fri, 2007-05-04 at 12:07 -0400, Daniel J Walsh wrote:
> rob myers wrote:
> > hello
> >
> > i am working on writing some SELinux policy that will confine oracle to
> > its own domain on a RHEL5 machine running targeted policy. my security
> > goal is to limit risk to the rest of the system from any potential
> > compromise of oracle. as far as i know, no such policy exists publicly
> > yet. i'd like to collaborate with anyone else that has an interest in
> > writing a similar policy for oracle. my initial efforts are attached.
> > tips, pointers, and constructive criticism requested!
> I like to minimize the number of context in the file context, The more
> files in the context the more likely you are to get one wrong.
> One general rule I use is if you domain does not need to modify a
> file/directory, you should use the system defaults. (Unless you want to
> prevent other confined domains from reading the files, for security
> purposes). So do you really need oracle_ro_t?
nope, not for my current security goals. thanks for pointing that out.
> The only file that should be labeled oracle_exec_t is the domains entry
> point. Helper apps should be just labeled bin_t. Or even better break
> the helper apps and write policy for their specific tasks. But this is
> a lot more work.
again, you are correct. there are many helper apps that do not need to
be labeled oracle_exec_t. i've pared the list of binaries with
oracle_exec_t down to those that are called by the init script and that
need to be run in oracle_t.
i'm not sure what you mean by breaking the helper apps and writing
policy for their specific tasks. could you refer me to an example or
explain a bit more?
> I like to avoid
> domain_auto_trans(unconfined_t, oracle_exec_t, oracle_t)
>
> And only have the transition happen in the init scripts. Transitioning
> directly from unconfined_t ends up with lots of avcs when users do stuff
> like
>
> confined_app >> ~/mylog
>
> Also you might be able to eliminate the ability to write to terminals by
> doing this.
this did not obviate the need to write to terminals. only transitioning
from init also introduces another problem- when a dbadmin stops and
restarts the database, the database comes back up in unconfined_t. is
there a more elegant way to ensure that the database runs in oracle_t
than using domain_auto_trans()?
it seems a bit wacky for me to create a
corenet_dontaudit_tcp_connect_snmp_port interface as part of the oracle
interfaces... is there already a similar interface that i missed? if
not, what is the correct way to do this?
the attached policy should incorporate all of your helpful suggestions,
and i believe it is much better as a result. thanks again, and please
let me know how i can improve this version, too.
rob.
[-- Attachment #2: oracle.fc --]
[-- Type: text/plain, Size: 2020 bytes --]
#
# $Id: oracle.fc 885 2007-04-30 17:42:45Z rm153 $
#
# store database files in /u0X
/u0[0-9](/.*)? gen_context(system_u:object_r:oracle_db_t,s0)
# store database specific files under /opt/oracle/admin/$ORACLE_SID hierarchy
# treat dump files and audits as log files
/opt/oracle/admin/(.*/)?(a|b|c|u)dump(/.*)? gen_context(user_u:object_r:oracle_log_t,s0)
/opt/oracle/admin/(.*/)?audit(/.*)? gen_context(user_u:object_r:oracle_log_t,s0)
# otherwise these would default to bin_t
/opt/oracle/product/(.*/)?bin/dbshut gen_context(system_u:object_r:oracle_exec_t,s0)
/opt/oracle/product/(.*/)?bin/dbstart gen_context(system_u:object_r:oracle_exec_t,s0)
/opt/oracle/product/(.*/)?bin/lsnrctl gen_context(system_u:object_r:oracle_exec_t,s0)
/opt/oracle/product/(.*/)?bin/oracle gen_context(system_u:object_r:oracle_exec_t,s0)
/opt/oracle/product/(.*/)?bin/oracle0 gen_context(system_u:object_r:oracle_exec_t,s0)
/opt/oracle/product/(.*/)?bin/sqlplus gen_context(system_u:object_r:oracle_exec_t,s0)
/opt/oracle/product/(.*/)?bin/tnslsnr gen_context(system_u:object_r:oracle_exec_t,s0)
# many jars are not located under lib, jre, or java directories
/opt/oracle/product/(.*/)?.+\.jar gen_context(system_u:object_r:shlib_t,s0)
# otherwise these would default to shlib_t
/opt/oracle/product/(.*/)?lib/libclntsh\.so\.10.* gen_context(system_u:object_r:texrel_shlib_t,s0)
/opt/oracle/product/(.*/)?lib/libjox10\.so gen_context(system_u:object_r:texrel_shlib_t,s0)
# certain logs are kept under the ORACLE_HOME hierarchy
/opt/oracle/product/(.*/)?dbs(/.*)? gen_context(user_u:object_r:oracle_log_t,s0)
/opt/oracle/product/(.*/)?log(/.*)? gen_context(user_u:object_r:oracle_log_t,s0)
/opt/oracle/product/(.*/)?rdbms/audit(/.*)? gen_context(user_u:object_r:oracle_log_t,s0)
# otherwise this would be unlabeled
/var/tmp/.oracle(/.*)? gen_context(user_u:object_r:oracle_tmp_t,s0)
[-- Attachment #3: oracle.if --]
[-- Type: text/plain, Size: 2043 bytes --]
## <summary>Oracle policy</summary>
## <desc>
## <p>
## Oracle policy $Id: oracle.if 885 2007-04-30 17:42:45Z rm153 $
## </p>
## </desc>
############################################################
## <summary>
## Send and receive TCP traffic on an oracle port
## </summary>
## <desc>
## <p>
## Use this interface to send and receive TCP traffic on
## the oracle port
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access
## </summary>
## </param>
#
interface(`corenet_tcp_sendrecv_oracle_port',`
gen_require(`
type oracle_port_t;
')
allow $1 oracle_port_t:tcp_socket { send_msg recv_msg };
')
############################################################
## <summary>
## Bind to a TCP oracle port
## </summary>
## <desc>
## <p>
## Use this interface to bind to a TCP oracle port
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access
## </summary>
## </param>
#
interface(`corenet_tcp_bind_oracle_port',`
gen_require(`
type oracle_port_t;
')
allow $1 oracle_port_t:tcp_socket name_bind;
')
############################################################
## <summary>
## Connect to an oracle TCP port
## </summary>
## <desc>
## <p>
## Use this interface to connect to an oracle TCP port
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access
## </summary>
## </param>
#
interface(`corenet_tcp_connect_oracle_port',`
gen_require(`
type oracle_port_t;
')
allow $1 oracle_port_t:tcp_socket name_connect;
')
############################################################
## <summary>
## Do not audit attempts to make a TCP connection to the snmp port.
## </summary>
## <desc>
## <p>
## Use this interface to prevent auditing attempts to make a TCP connection to the snmp port.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain not to audit.
## </summary>
## </param>
#
interface(`corenet_dontaudit_tcp_connect_snmp_port',`
gen_require(`
type snmp_port_t;
')
dontaudit $1 snmp_port_t:tcp_socket name_connect;
')
[-- Attachment #4: oracle.te --]
[-- Type: text/plain, Size: 3910 bytes --]
policy_module(oracle,1.0.0)
########################################
#
# $Id: oracle.te 885 2007-04-30 17:42:45Z rm153 $
#
type oracle_t;
domain_type(oracle_t)
## Type for log files
type oracle_log_t;
logging_log_file(oracle_log_t)
allow oracle_t oracle_log_t:file { unlink create rw_file_perms setattr };
allow oracle_t oracle_log_t:dir { setattr rw_dir_perms };
logging_log_filetrans(oracle_t,oracle_log_t,{file dir})
## Type for database files
type oracle_db_t;
files_config_file(oracle_db_t)
allow oracle_t oracle_db_t:file { getattr read create_file_perms };
allow oracle_t oracle_db_t:dir { create_dir_perms };
## Type for temporary files
type oracle_tmp_t;
files_tmp_file(oracle_tmp_t)
allow oracle_t oracle_tmp_t:file { create_file_perms };
allow oracle_t oracle_tmp_t:dir { create_dir_perms };
allow oracle_t oracle_tmp_t:sock_file { create_file_perms };
files_tmp_filetrans(oracle_t, oracle_tmp_t, { file dir sock_file })
## Type for the daemon
type oracle_exec_t;
files_type(oracle_exec_t)
domain_entry_file(oracle_t, oracle_exec_t)
## Allow init to run oracle_exec_t programs in oracle_t
init_daemon_domain(oracle_t, oracle_exec_t)
# read /proc
kernel_getattr_proc_files(oracle_t)
kernel_read_proc_symlinks(oracle_t)
# localization support
miscfiles_read_localization(oracle_t)
###
## networking
#
# define oracle ports
type oracle_port_t;
# for refpolicy-20070629
#corenet_port(oracle_port_t)
# for RHEL5 policy
corenet_port_type(oracle_port_t)
#
# you cannot create ports in a policy module so use semanage instead
# - https://www.redhat.com/archives/fedora-selinux-list/2007-April/msg00078.html
# portcon tcp 1521 system_u:object_r:oracle_port_t:s0;
# semanage port -a -t oracle_port_t -p tcp 1521
# allow sending and receiving on oracle ports
corenet_tcp_bind_oracle_port(oracle_t)
corenet_tcp_sendrecv_oracle_port(oracle_t)
corenet_tcp_connect_oracle_port(oracle_t)
# allow oracle to send traffic to all nodes
# for refpolicy-20070629
#corenet_all_recvfrom_unlabeled(oracle_t)
# for RHEL5 policy
corenet_non_ipsec_sendrecv(oracle_t)
corenet_tcp_bind_all_nodes(oracle_t)
corenet_udp_bind_all_nodes(oracle_t)
corenet_tcp_sendrecv_all_if(oracle_t)
corenet_udp_sendrecv_all_if(oracle_t)
corenet_tcp_sendrecv_all_nodes(oracle_t)
corenet_udp_sendrecv_all_nodes(oracle_t)
corenet_tcp_connect_generic_port(oracle_t)
###
## Allow oracle to query ldap server
#
sysnet_use_ldap(oracle_t)
auth_use_nsswitch(oracle_t)
###
## executables
#
corecmd_exec_bin(oracle_t)
###
## Allow access to shared libraries
#
libs_use_ld_so(oracle_t)
libs_use_shared_libs(oracle_t)
###
## Allow read system settings and state
#
kernel_read_all_sysctls(oracle_t)
sysnet_read_config(oracle_t)
kernel_read_system_state(oracle_t)
###
## Allow read /etc.
#
files_read_etc_files(oracle_t)
###
## Allow read (and write) /dev/zero
#
dev_rw_zero(oracle_t)
###
## Allow read of random devices
#
dev_read_rand(oracle_t)
dev_read_urand(oracle_t)
###
## Allow read and write to terminals
#
term_use_all_user_ptys(oracle_t)
###
## Allow read and writing to shared memory
#
fs_rw_tmpfs_files(oracle_t)
###
## Allow reading of usr files
#
files_read_usr_files(oracle_t)
###
## additional oracle related permissions
#
allow oracle_t self:file { rw_file_perms };
allow oracle_t self:fifo_file { rw_file_perms };
allow oracle_t self:process { setpgid getsched };
allow oracle_t self:sem create_sem_perms;
allow oracle_t self:shm create_shm_perms;
allow oracle_t self:fd use;
allow oracle_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow oracle_t self:udp_socket create_socket_perms;
allow oracle_t self:tcp_socket create_stream_socket_perms;
allow oracle_t self:process execmem;
allow oracle_t oracle_exec_t:file execute_no_trans;
###
## Allow oracle to get attributes of filesystems
#
fs_getattr_all_fs(oracle_t)
###
## don't audit
#
corenet_dontaudit_tcp_connect_snmp_port(oracle_t)
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: oracle policy
2007-07-02 22:37 ` rob myers
@ 2007-07-03 17:31 ` Daniel J Walsh
2007-07-03 17:34 ` Daniel J Walsh
1 sibling, 0 replies; 7+ messages in thread
From: Daniel J Walsh @ 2007-07-03 17:31 UTC (permalink / raw)
To: rob myers; +Cc: SELinux
rob myers wrote:
> On Fri, 2007-05-04 at 12:07 -0400, Daniel J Walsh wrote:
>
>> rob myers wrote:
>>
>>> hello
>>>
>>> i am working on writing some SELinux policy that will confine oracle to
>>> its own domain on a RHEL5 machine running targeted policy. my security
>>> goal is to limit risk to the rest of the system from any potential
>>> compromise of oracle. as far as i know, no such policy exists publicly
>>> yet. i'd like to collaborate with anyone else that has an interest in
>>> writing a similar policy for oracle. my initial efforts are attached.
>>> tips, pointers, and constructive criticism requested!
>>>
>
>
>> I like to minimize the number of context in the file context, The more
>> files in the context the more likely you are to get one wrong.
>> One general rule I use is if you domain does not need to modify a
>> file/directory, you should use the system defaults. (Unless you want to
>> prevent other confined domains from reading the files, for security
>> purposes). So do you really need oracle_ro_t?
>>
>
> nope, not for my current security goals. thanks for pointing that out.
>
>
>> The only file that should be labeled oracle_exec_t is the domains entry
>> point. Helper apps should be just labeled bin_t. Or even better break
>> the helper apps and write policy for their specific tasks. But this is
>> a lot more work.
>>
>
> again, you are correct. there are many helper apps that do not need to
> be labeled oracle_exec_t. i've pared the list of binaries with
> oracle_exec_t down to those that are called by the init script and that
> need to be run in oracle_t.
>
> i'm not sure what you mean by breaking the helper apps and writing
> policy for their specific tasks. could you refer me to an example or
> explain a bit more?
>
>
>> I like to avoid
>> domain_auto_trans(unconfined_t, oracle_exec_t, oracle_t)
>>
>> And only have the transition happen in the init scripts. Transitioning
>> directly from unconfined_t ends up with lots of avcs when users do stuff
>> like
>>
>> confined_app >> ~/mylog
>>
>> Also you might be able to eliminate the ability to write to terminals by
>> doing this.
>>
>
> this did not obviate the need to write to terminals. only transitioning
> from init also introduces another problem- when a dbadmin stops and
> restarts the database, the database comes back up in unconfined_t. is
> there a more elegant way to ensure that the database runs in oracle_t
> than using domain_auto_trans()?
>
> it seems a bit wacky for me to create a
> corenet_dontaudit_tcp_connect_snmp_port interface as part of the oracle
> interfaces... is there already a similar interface that i missed? if
> not, what is the correct way to do this?
>
> the attached policy should incorporate all of your helpful suggestions,
> and i believe it is much better as a result. thanks again, and please
> let me know how i can improve this version, too.
>
> rob.
>
Looks good.
allow oracle_t oracle_exec_t:file execute_no_trans;
Should be
can_exec(oracle_t, oracle_exec_t)
allow oracle_t self:process { setpgid getsched };
allow oracle_t self:process execmem;
Combine these.
Now see if Chris PeBenito will take your policy upstream :^)
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: oracle policy
2007-07-02 22:37 ` rob myers
2007-07-03 17:31 ` Daniel J Walsh
@ 2007-07-03 17:34 ` Daniel J Walsh
2007-07-31 20:41 ` rob myers
1 sibling, 1 reply; 7+ messages in thread
From: Daniel J Walsh @ 2007-07-03 17:34 UTC (permalink / raw)
To: rob myers; +Cc: SELinux
rob myers wrote:
> On Fri, 2007-05-04 at 12:07 -0400, Daniel J Walsh wrote:
>
>> rob myers wrote:
>>
>>> hello
>>>
>>> i am working on writing some SELinux policy that will confine oracle to
>>> its own domain on a RHEL5 machine running targeted policy. my security
>>> goal is to limit risk to the rest of the system from any potential
>>> compromise of oracle. as far as i know, no such policy exists publicly
>>> yet. i'd like to collaborate with anyone else that has an interest in
>>> writing a similar policy for oracle. my initial efforts are attached.
>>> tips, pointers, and constructive criticism requested!
>>>
>
>
>> I like to minimize the number of context in the file context, The more
>> files in the context the more likely you are to get one wrong.
>> One general rule I use is if you domain does not need to modify a
>> file/directory, you should use the system defaults. (Unless you want to
>> prevent other confined domains from reading the files, for security
>> purposes). So do you really need oracle_ro_t?
>>
>
> nope, not for my current security goals. thanks for pointing that out.
>
>
>> The only file that should be labeled oracle_exec_t is the domains entry
>> point. Helper apps should be just labeled bin_t. Or even better break
>> the helper apps and write policy for their specific tasks. But this is
>> a lot more work.
>>
>
> again, you are correct. there are many helper apps that do not need to
> be labeled oracle_exec_t. i've pared the list of binaries with
> oracle_exec_t down to those that are called by the init script and that
> need to be run in oracle_t.
>
> i'm not sure what you mean by breaking the helper apps and writing
> policy for their specific tasks. could you refer me to an example or
> explain a bit more?
>
If you look at postfix, you will see a good example. The idea of least
privs is to give an app the least privs it needs to do a job.
As an example if your oracle app needed r/w access to the disk in order
to format it in a particular way, and the way it did this was to exec
/usr/bin/oracle_disk_format You could give oracle_t
fixed_disk_device_t:blk_file manage_blk_device_t; Or you could generate
a policy for oracle_disk_format_t,
and only give the helper app that permission. Oracle would only be
able to format the disk through the execing of the helper app.
>
>> I like to avoid
>> domain_auto_trans(unconfined_t, oracle_exec_t, oracle_t)
>>
>> And only have the transition happen in the init scripts. Transitioning
>> directly from unconfined_t ends up with lots of avcs when users do stuff
>> like
>>
>> confined_app >> ~/mylog
>>
>> Also you might be able to eliminate the ability to write to terminals by
>> doing this.
>>
>
> this did not obviate the need to write to terminals. only transitioning
> from init also introduces another problem- when a dbadmin stops and
> restarts the database, the database comes back up in unconfined_t. is
> there a more elegant way to ensure that the database runs in oracle_t
> than using domain_auto_trans()?
>
>
What is the command to stop and start the oracle database? service
oracle restart
should do the correct thing.
> it seems a bit wacky for me to create a
> corenet_dontaudit_tcp_connect_snmp_port interface as part of the oracle
> interfaces... is there already a similar interface that i missed? if
> not, what is the correct way to do this?
>
>
Why is oracle trying to connect to the snmp port, and why do you want to
prevent it?
> the attached policy should incorporate all of your helpful suggestions,
> and i believe it is much better as a result. thanks again, and please
> let me know how i can improve this version, too.
>
> rob.
>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: oracle policy
2007-07-03 17:34 ` Daniel J Walsh
@ 2007-07-31 20:41 ` rob myers
2007-07-31 23:18 ` rob myers
0 siblings, 1 reply; 7+ messages in thread
From: rob myers @ 2007-07-31 20:41 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: SELinux
[-- Attachment #1: Type: text/plain, Size: 3333 bytes --]
On Tue, 2007-07-03 at 13:34 -0400, Daniel J Walsh wrote:
> rob myers wrote:
> >
> > i'm not sure what you mean by breaking the helper apps and writing
> > policy for their specific tasks. could you refer me to an example or
> > explain a bit more?
> >
> If you look at postfix, you will see a good example. The idea of least
> privs is to give an app the least privs it needs to do a job.
>
> As an example if your oracle app needed r/w access to the disk in order
> to format it in a particular way, and the way it did this was to exec
> /usr/bin/oracle_disk_format You could give oracle_t
> fixed_disk_device_t:blk_file manage_blk_device_t; Or you could generate
> a policy for oracle_disk_format_t,
> and only give the helper app that permission. Oracle would only be
> able to format the disk through the execing of the helper app.
ok, that makes sense. the attached policy is a rewrite that attempts to
implement this suggestion. feedback is always appreciated.
> >> I like to avoid
> >> domain_auto_trans(unconfined_t, oracle_exec_t, oracle_t)
> >>
> >> And only have the transition happen in the init scripts. Transitioning
> >> directly from unconfined_t ends up with lots of avcs when users do stuff
> >> like
> >>
> >> confined_app >> ~/mylog
> >>
> >> Also you might be able to eliminate the ability to write to terminals by
> >> doing this.
> >>
> >
> > this did not obviate the need to write to terminals. only transitioning
> > from init also introduces another problem- when a dbadmin stops and
> > restarts the database, the database comes back up in unconfined_t. is
> > there a more elegant way to ensure that the database runs in oracle_t
> > than using domain_auto_trans()?
> >
> >
> What is the command to stop and start the oracle database? service
> oracle restart should do the correct thing.
the init script starts oracle like this:
daemon --user oracle dbstart ALL
dbstart is a shell script that eventually calls sqlplus like so:
sqlplus /nolog <<EOF
connect / as sysdba
startup pfile=$PFILE
EOF
and sqlplus is the oracle PL/SQL command line tool which eventually
calls the oracle binary.
the problem is that database admins do not start and stop the database
using "service". they either use shell scripts that call sqlplus, or
they use sqlplus directly to start and stop the database. thus, the
transition from init is not sufficient to insure that oracle runs
confined. i've re-enabled the auto transition for now.
> > it seems a bit wacky for me to create a
> > corenet_dontaudit_tcp_connect_snmp_port interface as part of the oracle
> > interfaces... is there already a similar interface that i missed? if
> > not, what is the correct way to do this?
> >
> >
> Why is oracle trying to connect to the snmp port, and why do you want to
> prevent it?
the oracle listener tries to connect to the tcp smux port on localhost
to determine if SNMP support should be enabled. in the spirit of least
privilege, i wanted to prevent SNMP access because i do not use that
feature. i created a tunable in case others desire SNMP support.
rob.
ps- for more information, there is a decent diagram that helps show how
oracle and interacts with its helper apps and files here:
http://www.oracle.com/technology/tech/migration/isv/docs/OracleArchitectureOverview.pdf
[-- Attachment #2: oracle.fc --]
[-- Type: text/plain, Size: 1970 bytes --]
#
# $Id: oracle.fc 885 2007-04-30 17:42:45Z rm153 $
#
# store database files in /u0X
/u0[0-9](/.*)? gen_context(system_u:object_r:oracle_dbfile_t,s0)
# store database specific files under /opt/oracle/admin/$ORACLE_SID hierarchy
# treat dump files and audits as log files
/opt/oracle/admin/(.*/)?(a|b|c|u)dump(/.*)? gen_context(user_u:object_r:oracle_log_t,s0)
/opt/oracle/admin/(.*/)?audit(/.*)? gen_context(user_u:object_r:oracle_log_t,s0)
# otherwise these would default to bin_t
/opt/oracle/product/(.*/)?bin/dbshut gen_context(system_u:object_r:oracle_script_exec_t,s0)
/opt/oracle/product/(.*/)?bin/dbstart gen_context(system_u:object_r:oracle_script_exec_t,s0)
/opt/oracle/product/(.*/)?bin/lsnrctl gen_context(system_u:object_r:oracle_lsnrctl_exec_t,s0)
/opt/oracle/product/(.*/)?bin/oracle gen_context(system_u:object_r:oracle_db_exec_t,s0)
/opt/oracle/product/(.*/)?bin/sqlplus gen_context(system_u:object_r:oracle_sqlplus_exec_t,s0)
/opt/oracle/product/(.*/)?bin/tnslsnr gen_context(system_u:object_r:oracle_tnslsnr_exec_t,s0)
# many jars are not located under lib, jre, or java directories
/opt/oracle/product/(.*/)?.+\.jar gen_context(system_u:object_r:shlib_t,s0)
# otherwise these would default to shlib_t
/opt/oracle/product/(.*/)?lib/libclntsh\.so\.10.* gen_context(system_u:object_r:texrel_shlib_t,s0)
/opt/oracle/product/(.*/)?lib/libjox10\.so gen_context(system_u:object_r:texrel_shlib_t,s0)
# certain logs are kept under the ORACLE_HOME hierarchy
/opt/oracle/product/(.*/)?dbs(/.*)? gen_context(user_u:object_r:oracle_log_t,s0)
/opt/oracle/product/(.*/)?log(/.*)? gen_context(user_u:object_r:oracle_log_t,s0)
/opt/oracle/product/(.*/)?rdbms/audit(/.*)? gen_context(user_u:object_r:oracle_log_t,s0)
# otherwise this would be unlabeled
/var/tmp/.oracle(/.*)? gen_context(user_u:object_r:oracle_tmp_t,s0)
[-- Attachment #3: oracle.if --]
[-- Type: text/plain, Size: 5204 bytes --]
## <summary>Oracle policy</summary>
## <desc>
## <p>
## Oracle policy $Id: oracle.if 885 2007-04-30 17:42:45Z rm153 $
## </p>
## </desc>
########################################
## <summary>
## Creates types and rules common to all oracle processes
## </summary>
## <param name="prefix">
## <summary>
## The domain.
## </summary>
## </param>
#
template(`oracle_common_template',`
gen_require(`
type oracle_tmp_t;
type oracle_log_t;
')
# Define domain type
type oracle_$1_t;
domain_type(oracle_$1_t)
# Define file type
type oracle_$1_exec_t;
files_type(oracle_$1_exec_t)
# Create an entry point
domain_entry_file(oracle_$1_t, oracle_$1_exec_t)
# Allow access to shared libraries
libs_use_ld_so(oracle_$1_t)
libs_use_shared_libs(oracle_$1_t)
# Allow read access to generic files
files_read_usr_files(oracle_$1_t)
# Allow read access to etc files
files_read_etc_files(oracle_$1_t)
# Allow read access to tmp files
files_list_tmp(oracle_$1_t)
# localization support
miscfiles_read_localization(oracle_$1_t)
# Allow sending traffic to all nodes
# for refpolicy-20070629
corenet_all_recvfrom_unlabeled(oracle_$1_t)
# for RHEL5 policy
#corenet_non_ipsec_sendrecv(oracle_$1_t)
# Allow socket creation
allow oracle_$1_t self:udp_socket create_socket_perms;
allow oracle_$1_t self:tcp_socket create_stream_socket_perms;
logging_log_filetrans(oracle_$1_t,oracle_log_t,{ file dir })
files_tmp_filetrans(oracle_$1_t, oracle_tmp_t, { file dir sock_file })
# Allow access to oracle temporary files
allow oracle_$1_t oracle_tmp_t:file { create_file_perms };
allow oracle_$1_t oracle_tmp_t:dir { create_dir_perms };
allow oracle_$1_t oracle_tmp_t:sock_file { create_file_perms };
# Allow access to oracle log files
allow oracle_$1_t oracle_log_t:file { unlink create rw_file_perms setattr };
allow oracle_$1_t oracle_log_t:dir { setattr rw_dir_perms };
')
########################################
## <summary>
## Creates rules for oracle processes that
## interact with the user
## </summary>
## <param name="prefix">
## <summary>
## Prefix for the domain.
## </summary>
## </param>
#
template(`oracle_ui_template',`
# get common types and rules
oracle_common_template($1)
# Allow init to run oracle applications in the correct domain
init_daemon_domain(oracle_$1_t, oracle_$1_exec_t)
# Allow user interaction via pty
term_use_all_user_ptys(oracle_$1_t)
# Allow fifo creation to self
allow oracle_$1_t self:fifo_file { create_file_perms };
# Allow network init to read network config files
sysnet_read_config(oracle_$1_t)
')
########################################
## <summary>
## Creates types and rules for oracle server processes
## </summary>
## <param name="prefix">
## <summary>
## Prefix for the domain.
## </summary>
## </param>
#
template(`oracle_server_template',`
# get common types and rules
oracle_common_template($1)
# Allow read and writing to shared memory
fs_rw_tmpfs_files(oracle_$1_t)
# Allow getting attributes of filesystems
fs_getattr_all_fs(oracle_$1_t)
# Allow querying an ldap server
sysnet_use_ldap(oracle_$1_t)
auth_use_nsswitch(oracle_$1_t)
# Do not audit server processes trying to access ptys
dontaudit oracle_$1_t devpts_t:chr_file { read write };
')
############################################################
## <summary>
## Send and receive TCP traffic on an oracle port
## </summary>
## <desc>
## <p>
## Use this interface to send and receive TCP traffic on
## the oracle port
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access
## </summary>
## </param>
#
interface(`corenet_tcp_sendrecv_oracle_port',`
gen_require(`
type oracle_port_t;
')
allow $1 oracle_port_t:tcp_socket { send_msg recv_msg };
')
############################################################
## <summary>
## Bind to a TCP oracle port
## </summary>
## <desc>
## <p>
## Use this interface to bind to a TCP oracle port
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access
## </summary>
## </param>
#
interface(`corenet_tcp_bind_oracle_port',`
gen_require(`
type oracle_port_t;
')
allow $1 oracle_port_t:tcp_socket name_bind;
')
############################################################
## <summary>
## Connect to an oracle TCP port
## </summary>
## <desc>
## <p>
## Use this interface to connect to an oracle TCP port
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access
## </summary>
## </param>
#
interface(`corenet_tcp_connect_oracle_port',`
gen_require(`
type oracle_port_t;
')
allow $1 oracle_port_t:tcp_socket name_connect;
')
############################################################
## <summary>
## Do not audit attempts to make a TCP connection to the snmp port.
## </summary>
## <desc>
## <p>
## Use this interface to prevent auditing attempts to make a TCP connection to the snmp port.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain not to audit.
## </summary>
## </param>
#
interface(`corenet_dontaudit_tcp_connect_snmp_port',`
gen_require(`
type snmp_port_t;
')
dontaudit $1 snmp_port_t:tcp_socket name_connect;
')
[-- Attachment #4: oracle.te --]
[-- Type: text/plain, Size: 4217 bytes --]
policy_module(oracle,1.0.0)
########################################
#
# $Id: oracle.te 885 2007-04-30 17:42:45Z rm153 $
#
########################################
#
# Declarations
#
## <desc>
## <p>
## Allow oracle SNMP support.
## </p>
## </desc>
gen_tunable(oracle_snmp_support,false)
########################################
#
# Policy
#
# Type for log files
type oracle_log_t;
logging_log_file(oracle_log_t)
# Type for temporary files
type oracle_tmp_t;
files_tmp_file(oracle_tmp_t)
oracle_server_template(db)
oracle_server_template(tnslsnr)
oracle_ui_template(lsnrctl)
oracle_ui_template(sqlplus)
# Alias scripts (e.g., dbstart, dbshut) to sqlplus
typealias oracle_sqlplus_t alias oracle_script_t;
typealias oracle_sqlplus_exec_t alias oracle_script_exec_t;
# Type for database files
type oracle_dbfile_t;
files_config_file(oracle_dbfile_t)
# Allow the oracle process to write to the db files
allow oracle_db_t oracle_dbfile_t:file { getattr read create_file_perms };
allow oracle_db_t oracle_dbfile_t:dir { create_dir_perms };
# Automatically transition to the correct domain
ifdef(`targeted_policy', `
domain_auto_trans(oracle_sqlplus_t, oracle_db_exec_t, oracle_db_t)
domain_auto_trans(oracle_lsnrctl_t, oracle_tnslsnr_exec_t, oracle_tnslsnr_t)
domain_auto_trans(unconfined_t, oracle_sqlplus_exec_t, oracle_sqlplus_t)
domain_auto_trans(unconfined_t, oracle_lsnrctl_exec_t, oracle_lsnrctl_t)
')
###
## networking
#
# define oracle ports
type oracle_port_t;
# for refpolicy-20070629
corenet_port(oracle_port_t)
# for RHEL5 policy
#corenet_port_type(oracle_port_t)
#
# you cannot create ports in a policy module so use semanage instead
# - https://www.redhat.com/archives/fedora-selinux-list/2007-April/msg00078.html
# semanage port -a -t oracle_port_t -p tcp 1521
# allow sending and receiving on oracle ports
corenet_tcp_bind_oracle_port(oracle_tnslsnr_t)
corenet_tcp_sendrecv_oracle_port(oracle_tnslsnr_t)
corenet_tcp_connect_oracle_port(oracle_lsnrctl_t)
corenet_tcp_connect_oracle_port(oracle_tnslsnr_t)
corenet_tcp_connect_oracle_port(oracle_db_t)
corenet_tcp_bind_all_nodes(oracle_tnslsnr_t)
corenet_udp_bind_all_nodes(oracle_tnslsnr_t)
corenet_tcp_sendrecv_all_if(oracle_tnslsnr_t)
corenet_udp_sendrecv_all_if(oracle_tnslsnr_t)
corenet_tcp_sendrecv_all_nodes(oracle_tnslsnr_t)
corenet_udp_sendrecv_all_nodes(oracle_tnslsnr_t)
corenet_tcp_connect_generic_port(oracle_tnslsnr_t)
corenet_udp_bind_lo_node(oracle_db_t)
corenet_udp_bind_lo_node(oracle_sqlplus_t)
###
## executables
#
corecmd_exec_bin(oracle_sqlplus_t)
corecmd_search_bin(oracle_lsnrctl_t)
corecmd_search_bin(oracle_db_t)
###
## devices
#
dev_read_rand(oracle_db_t)
dev_read_urand(oracle_db_t)
dev_rw_zero(oracle_db_t)
###
## Allow reading proc, system settings, and state
#
kernel_read_all_sysctls(oracle_sqlplus_t)
kernel_read_system_state(oracle_sqlplus_t)
kernel_read_all_sysctls(oracle_db_t)
kernel_read_system_state(oracle_db_t)
kernel_getattr_proc_files(oracle_db_t)
kernel_read_proc_symlinks(oracle_db_t)
###
## additional permissions
#
# Allow fifos
allow oracle_db_t self:fifo_file { rw_file_perms };
# Allow semaphores and shared memory
allow oracle_db_t self:sem create_sem_perms;
allow oracle_db_t self:shm create_shm_perms;
# Allow execing
can_exec(oracle_db_t, oracle_db_exec_t)
can_exec(oracle_sqlplus_t, oracle_sqlplus_exec_t)
# Allow tnslsnr to use lsnrctl fds
allow oracle_tnslsnr_t oracle_lsnrctl_t:fd use;
allow oracle_tnslsnr_t oracle_lsnrctl_t:fifo_file { rw_file_perms };
# Allow tnslsnr to execmem
allow oracle_tnslsnr_t self:process { execmem };
# Allow oracle db to use sqlplus fds and to signal
allow oracle_db_t oracle_sqlplus_t:fd use;
allow oracle_db_t oracle_sqlplus_t:fifo_file { rw_file_perms };
allow oracle_db_t oracle_sqlplus_t:process sigchld;
# Allow lsnrctl to connect to tnslsnr via unix stream socket
allow oracle_lsnrctl_t oracle_tnslsnr_t:unix_stream_socket connectto;
# Allow sqlplus to get filesystem attributes
fs_getattr_all_fs(oracle_sqlplus_t)
tunable_policy(`oracle_snmp_support',`
corenet_tcp_connect_snmp_port(oracle_tnslsnr_t)
corenet_tcp_sendrecv_snmp_port(oracle_tnslsnr_t)
',`
corenet_dontaudit_tcp_connect_snmp_port(oracle_tnslsnr_t)
')
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: oracle policy
2007-07-31 20:41 ` rob myers
@ 2007-07-31 23:18 ` rob myers
0 siblings, 0 replies; 7+ messages in thread
From: rob myers @ 2007-07-31 23:18 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: SELinux
On Tue, 2007-07-31 at 16:41 -0400, rob myers wrote:
> On Tue, 2007-07-03 at 13:34 -0400, Daniel J Walsh wrote:
> > rob myers wrote:
> > >
> > > i'm not sure what you mean by breaking the helper apps and writing
> > > policy for their specific tasks. could you refer me to an example or
> > > explain a bit more?
> > >
> > If you look at postfix, you will see a good example. The idea of least
> > privs is to give an app the least privs it needs to do a job.
> >
> > As an example if your oracle app needed r/w access to the disk in order
> > to format it in a particular way, and the way it did this was to exec
> > /usr/bin/oracle_disk_format You could give oracle_t
> > fixed_disk_device_t:blk_file manage_blk_device_t; Or you could generate
> > a policy for oracle_disk_format_t,
> > and only give the helper app that permission. Oracle would only be
> > able to format the disk through the execing of the helper app.
>
> ok, that makes sense. the attached policy is a rewrite that attempts to
> implement this suggestion. feedback is always appreciated.
this patch might help, too.
--- oracle.te.orig 2007-07-31 19:12:11.000000000 -0400
+++ oracle.te 2007-07-31 19:12:46.000000000 -0400
@@ -48,9 +48,10 @@ allow oracle_db_t oracle_dbfile_t:file {
allow oracle_db_t oracle_dbfile_t:dir { create_dir_perms };
# Automatically transition to the correct domain
+domain_auto_trans(oracle_sqlplus_t, oracle_db_exec_t, oracle_db_t)
+domain_auto_trans(oracle_lsnrctl_t, oracle_tnslsnr_exec_t, oracle_tnslsnr_t)
+
ifdef(`targeted_policy', `
- domain_auto_trans(oracle_sqlplus_t, oracle_db_exec_t, oracle_db_t)
- domain_auto_trans(oracle_lsnrctl_t, oracle_tnslsnr_exec_t, oracle_tnslsnr_t)
domain_auto_trans(unconfined_t, oracle_sqlplus_exec_t, oracle_sqlplus_t)
domain_auto_trans(unconfined_t, oracle_lsnrctl_exec_t, oracle_lsnrctl_t)
')
kind regards.
rob.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2007-07-31 23:18 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-04-30 21:37 oracle policy rob myers
2007-05-04 16:07 ` Daniel J Walsh
2007-07-02 22:37 ` rob myers
2007-07-03 17:31 ` Daniel J Walsh
2007-07-03 17:34 ` Daniel J Walsh
2007-07-31 20:41 ` rob myers
2007-07-31 23:18 ` rob myers
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.