Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing ListRe: oracle policy
From: rob myers <rob.myers_at_gtri.gatech.edu>
Date: Tue, 31 Jul 2007 16:41:26 -0400
ok, that makes sense. the attached policy is a rewrite that attempts to implement this suggestion. feedback is always appreciated.
> >> I like to avoid the init script starts oracle like this: daemon --user oracle dbstart ALL dbstart is a shell script that eventually calls sqlplus like so:
sqlplus /nolog <<EOF
the problem is that database admins do not start and stop the database using "service". they either use shell scripts that call sqlplus, or they use sqlplus directly to start and stop the database. thus, the transition from init is not sufficient to insure that oracle runs confined. i've re-enabled the auto transition for now.
> > it seems a bit wacky for me to create a the oracle listener tries to connect to the tcp smux port on localhost to determine if SNMP support should be enabled. in the spirit of least privilege, i wanted to prevent SNMP access because i do not use that feature. i created a tunable in case others desire SNMP support. rob. ps- for more information, there is a decent diagram that helps show how oracle and interacts with its helper apps and files here: http://www.oracle.com/technology/tech/migration/isv/docs/OracleArchitectureOverview.pdf
# # $Id: oracle.fc 885 2007-04-30 17:42:45Z rm153 $ # # store database files in /u0X /u0[0-9](/.*)? gen_context(system_u:object_r:oracle_dbfile_t,s0) # store database specific files under /opt/oracle/admin/$ORACLE_SID hierarchy # treat dump files and audits as log files /opt/oracle/admin/(.*/)?(a|b|c|u)dump(/.*)? gen_context(user_u:object_r:oracle_log_t,s0) /opt/oracle/admin/(.*/)?audit(/.*)? gen_context(user_u:object_r:oracle_log_t,s0) # otherwise these would default to bin_t /opt/oracle/product/(.*/)?bin/dbshut gen_context(system_u:object_r:oracle_script_exec_t,s0) /opt/oracle/product/(.*/)?bin/dbstart gen_context(system_u:object_r:oracle_script_exec_t,s0) /opt/oracle/product/(.*/)?bin/lsnrctl gen_context(system_u:object_r:oracle_lsnrctl_exec_t,s0) /opt/oracle/product/(.*/)?bin/oracle gen_context(system_u:object_r:oracle_db_exec_t,s0) /opt/oracle/product/(.*/)?bin/sqlplus gen_context(system_u:object_r:oracle_sqlplus_exec_t,s0) /opt/oracle/product/(.*/)?bin/tnslsnr gen_context(system_u:object_r:oracle_tnslsnr_exec_t,s0) # many jars are not located under lib, jre, or java directories /opt/oracle/product/(.*/)?.+\.jar gen_context(system_u:object_r:shlib_t,s0) # otherwise these would default to shlib_t /opt/oracle/product/(.*/)?lib/libclntsh\.so\.10.* gen_context(system_u:object_r:texrel_shlib_t,s0) /opt/oracle/product/(.*/)?lib/libjox10\.so gen_context(system_u:object_r:texrel_shlib_t,s0) # certain logs are kept under the ORACLE_HOME hierarchy /opt/oracle/product/(.*/)?dbs(/.*)? gen_context(user_u:object_r:oracle_log_t,s0) /opt/oracle/product/(.*/)?log(/.*)? gen_context(user_u:object_r:oracle_log_t,s0) /opt/oracle/product/(.*/)?rdbms/audit(/.*)? gen_context(user_u:object_r:oracle_log_t,s0) # otherwise this would be unlabeled /var/tmp/.oracle(/.*)? gen_context(user_u:object_r:oracle_tmp_t,s0) ## </desc> ######################################## ## <summary> ## Creates types and rules common to all oracle processes ## </summary> ## <param name="prefix"> ## <summary> ## The domain. ## </summary> ## </param> # template(`oracle_common_template',` gen_require(` type oracle_tmp_t; type oracle_log_t; ') # Define domain type type oracle_$1_t; domain_type(oracle_$1_t) # Define file type type oracle_$1_exec_t; files_type(oracle_$1_exec_t) # Create an entry point domain_entry_file(oracle_$1_t, oracle_$1_exec_t) # Allow access to shared libraries libs_use_ld_so(oracle_$1_t) libs_use_shared_libs(oracle_$1_t) # Allow read access to generic files files_read_usr_files(oracle_$1_t) # Allow read access to etc files files_read_etc_files(oracle_$1_t) # Allow read access to tmp files files_list_tmp(oracle_$1_t) # localization support miscfiles_read_localization(oracle_$1_t) # Allow sending traffic to all nodes # for refpolicy-20070629 corenet_all_recvfrom_unlabeled(oracle_$1_t) # for RHEL5 policy #corenet_non_ipsec_sendrecv(oracle_$1_t) # Allow socket creation allow oracle_$1_t self:udp_socket create_socket_perms; allow oracle_$1_t self:tcp_socket create_stream_socket_perms; logging_log_filetrans(oracle_$1_t,oracle_log_t,{ file dir }) files_tmp_filetrans(oracle_$1_t, oracle_tmp_t, { file dir sock_file }) # Allow access to oracle temporary files allow oracle_$1_t oracle_tmp_t:file { create_file_perms }; allow oracle_$1_t oracle_tmp_t:dir { create_dir_perms }; allow oracle_$1_t oracle_tmp_t:sock_file { create_file_perms }; # Allow access to oracle log files allow oracle_$1_t oracle_log_t:file { unlink create rw_file_perms setattr }; allow oracle_$1_t oracle_log_t:dir { setattr rw_dir_perms };') ######################################## ## <summary> ## Creates rules for oracle processes that ## interact with the user ## </summary> ## <param name="prefix"> ## <summary> ## Prefix for the domain. ## </summary> ## </param> # template(`oracle_ui_template',` # get common types and rules oracle_common_template($1) # Allow init to run oracle applications in the correct domain init_daemon_domain(oracle_$1_t, oracle_$1_exec_t) # Allow user interaction via pty term_use_all_user_ptys(oracle_$1_t) # Allow fifo creation to self allow oracle_$1_t self:fifo_file { create_file_perms }; # Allow network init to read network config files sysnet_read_config(oracle_$1_t) ') ######################################## ## <summary> ## Creates types and rules for oracle server processes ## </summary> ## <param name="prefix"> ## <summary> ## Prefix for the domain. ## </summary> ## </param> # template(`oracle_server_template',` # get common types and rules oracle_common_template($1) # Allow read and writing to shared memory fs_rw_tmpfs_files(oracle_$1_t) # Allow getting attributes of filesystems fs_getattr_all_fs(oracle_$1_t) # Allow querying an ldap server sysnet_use_ldap(oracle_$1_t) auth_use_nsswitch(oracle_$1_t) # Do not audit server processes trying to access ptys dontaudit oracle_$1_t devpts_t:chr_file { read write };') ############################################################ ## <summary> ## Send and receive TCP traffic on an oracle port ## </summary> ## <desc> ## <p> ## Use this interface to send and receive TCP traffic on ## the oracle port ## </p> ## </desc> ## <param name="domain"> ## <summary> ## Domain allowed access ## </summary> ## </param> # interface(`corenet_tcp_sendrecv_oracle_port',` gen_require(` type oracle_port_t; ') allow $1 oracle_port_t:tcp_socket { send_msg recv_msg }; ') ############################################################ ## <summary> ## Bind to a TCP oracle port ## </summary> ## <desc> ## <p> ## Use this interface to bind to a TCP oracle port ## </p> ## </desc> ## <param name="domain"> ## <summary> ## Domain allowed access ## </summary> ## </param> # interface(`corenet_tcp_bind_oracle_port',` gen_require(` type oracle_port_t; ') allow $1 oracle_port_t:tcp_socket name_bind; ') ############################################################ ## <summary> ## Connect to an oracle TCP port ## </summary> ## <desc> ## <p> ## Use this interface to connect to an oracle TCP port ## </p> ## </desc> ## <param name="domain"> ## <summary> ## Domain allowed access ## </summary> ## </param> # interface(`corenet_tcp_connect_oracle_port',` gen_require(` type oracle_port_t; ') allow $1 oracle_port_t:tcp_socket name_connect; ') ############################################################ ## <summary> ## Do not audit attempts to make a TCP connection to the snmp port. ## </summary> ## <desc> ## <p> ## Use this interface to prevent auditing attempts to make a TCP connection to the snmp port. ## </p> ## </desc> ## <param name="domain"> ## <summary> ## Domain not to audit. ## </summary> ## </param> # interface(`corenet_dontaudit_tcp_connect_snmp_port',` gen_require(` type snmp_port_t; ') dontaudit $1 snmp_port_t:tcp_socket name_connect;')
policy_module(oracle,1.0.0) ######################################## # # $Id: oracle.te 885 2007-04-30 17:42:45Z rm153 $ # ######################################## # # Declarations # ## <desc> ## <p> ## Allow oracle SNMP support. ## </p> ## </desc> gen_tunable(oracle_snmp_support,false) ######################################## # # Policy #
# Type for log files
# Type for temporary files
oracle_server_template(db) oracle_server_template(tnslsnr) oracle_ui_template(lsnrctl) oracle_ui_template(sqlplus) # Alias scripts (e.g., dbstart, dbshut) to sqlplus typealias oracle_sqlplus_t alias oracle_script_t; typealias oracle_sqlplus_exec_t alias oracle_script_exec_t;
# Type for database files
# Allow the oracle process to write to the db files allow oracle_db_t oracle_dbfile_t:file { getattr read create_file_perms }; allow oracle_db_t oracle_dbfile_t:dir { create_dir_perms }; # Automatically transition to the correct domain ifdef(`targeted_policy', ` domain_auto_trans(oracle_sqlplus_t, oracle_db_exec_t, oracle_db_t) domain_auto_trans(oracle_lsnrctl_t, oracle_tnslsnr_exec_t, oracle_tnslsnr_t) domain_auto_trans(unconfined_t, oracle_sqlplus_exec_t, oracle_sqlplus_t) domain_auto_trans(unconfined_t, oracle_lsnrctl_exec_t, oracle_lsnrctl_t)') ### ## networking #
# define oracle ports
# # you cannot create ports in a policy module so use semanage instead # - https://www.redhat.com/archives/fedora-selinux-list/2007-April/msg00078.html # semanage port -a -t oracle_port_t -p tcp 1521 # allow sending and receiving on oracle ports corenet_tcp_bind_oracle_port(oracle_tnslsnr_t) corenet_tcp_sendrecv_oracle_port(oracle_tnslsnr_t) corenet_tcp_connect_oracle_port(oracle_lsnrctl_t) corenet_tcp_connect_oracle_port(oracle_tnslsnr_t) corenet_tcp_connect_oracle_port(oracle_db_t) corenet_tcp_bind_all_nodes(oracle_tnslsnr_t) corenet_udp_bind_all_nodes(oracle_tnslsnr_t) corenet_tcp_sendrecv_all_if(oracle_tnslsnr_t) corenet_udp_sendrecv_all_if(oracle_tnslsnr_t) corenet_tcp_sendrecv_all_nodes(oracle_tnslsnr_t) corenet_udp_sendrecv_all_nodes(oracle_tnslsnr_t) corenet_tcp_connect_generic_port(oracle_tnslsnr_t)corenet_udp_bind_lo_node(oracle_db_t) corenet_udp_bind_lo_node(oracle_sqlplus_t) ### ## executables # corecmd_exec_bin(oracle_sqlplus_t) corecmd_search_bin(oracle_lsnrctl_t) corecmd_search_bin(oracle_db_t) ### ## devices # dev_read_rand(oracle_db_t) dev_read_urand(oracle_db_t) dev_rw_zero(oracle_db_t) ### ## Allow reading proc, system settings, and state # kernel_read_all_sysctls(oracle_sqlplus_t) kernel_read_system_state(oracle_sqlplus_t) kernel_read_all_sysctls(oracle_db_t) kernel_read_system_state(oracle_db_t) kernel_getattr_proc_files(oracle_db_t) kernel_read_proc_symlinks(oracle_db_t) ### ## additional permissions # # Allow fifos allow oracle_db_t self:fifo_file { rw_file_perms };
# Allow semaphores and shared memory
# Allow execing
# Allow tnslsnr to use lsnrctl fds
# Allow tnslsnr to execmem
# Allow oracle db to use sqlplus fds and to signal allow oracle_db_t oracle_sqlplus_t:fd use; allow oracle_db_t oracle_sqlplus_t:fifo_file { rw_file_perms }; allow oracle_db_t oracle_sqlplus_t:process sigchld; # Allow lsnrctl to connect to tnslsnr via unix stream socket allow oracle_lsnrctl_t oracle_tnslsnr_t:unix_stream_socket connectto; # Allow sqlplus to get filesystem attributes fs_getattr_all_fs(oracle_sqlplus_t) tunable_policy(`oracle_snmp_support',` corenet_tcp_connect_snmp_port(oracle_tnslsnr_t) corenet_tcp_sendrecv_snmp_port(oracle_tnslsnr_t) ',` corenet_dontaudit_tcp_connect_snmp_port(oracle_tnslsnr_t)') -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.Received on Tue 31 Jul 2007 - 16:42:15 EDT |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |