Description of problem: Initially, I followed the oracle backup procedure located here: https://fedorahosted.org/spacewalk/wiki/SpacewalkBackup I kept getting the following error: Backup of the database failed. flash recovery area is not enabled. It turns out that selinux is denying sqlplus write access to the /tmp directory, where the backup shell script writes a temporary log file, according to /usr/lib/oracle/xe/app/oracle/product/10.2.0/server/config/scripts/backup.sh Here are the avc denials in my audit.log # I get a lot of these ptrace denials, though I'm not sure if it is # related to the backup problem. type=AVC msg=audit(1332420943.555:26316): avc: denied { ptrace } for pid=3311 comm="oracle" scontext=system_u:system_r:oracle_db_t:s0 tcontext=root:system_r:oracle_db_t:s0-s0:c0.c1023 tclass=process type=AVC msg=audit(1332421381.606:26336): avc: denied { write } for pid=7522 comm="sqlplus" path="/tmp/rman_fra7512.log" dev=dm-0 ino=19365894 scontext=root:system_r:oracle_sqlplus_t:s0-s0:c0.c1023 tcontext=root:object_r:tmp_t:s0 tclass=file type=AVC msg=audit(1332421381.614:26337): avc: denied { read } for pid=7523 comm="oracle" path=2F746D702F73682D7468642D31333332343334393739202864656C6574656429 dev=dm-0 ino=19365904 scontext=root:system_r:oracle_db_t:s0-s0:c0.c1023 tcontext=root:object_r:tmp_t:s0 tclass=file I then use audit2allow to see what would fix the problem: [root@spacewalk ~]# grep sqlplus /var/log/audit/audit.log | audit2allow -m spacewalksqlplus module spacewalksqlplus 1.0; require { type tmp_t; type oracle_sqlplus_t; class file write; } #============= oracle_sqlplus_t ============== allow oracle_sqlplus_t tmp_t:file write; [root@spacewalk ~]# grep oracle /var/log/audit/audit.log | audit2allow -m spacewalkoracle module spacewalkoracle 1.0; require { type tmp_t; type oracle_db_t; type oracle_sqlplus_t; class process ptrace; class file { read write }; } #============= oracle_db_t ============== allow oracle_db_t self:process ptrace; allow oracle_db_t tmp_t:file read; #============= oracle_sqlplus_t ============== allow oracle_sqlplus_t tmp_t:file write; I recently upgrade from 1.6 to 1.7. I am running CentOS 5.8 x86_64 with SELinux in enforcing mode. I followed the oracle installation steps on the trac website and I have the following oracle packages installed, which include the selinux policy packages: [root@spacewalk ~]# rpm -qa oracle\* oracle-xe-selinux-10.2.0.23-1.el5 oracle-instantclient11.2-sqlplus-11.2.0.2.0-1 oracle-instantclient11.2-basic-11.2.0.2.0-1 oracle-instantclient-sqlplus-selinux-11.2.0.1-1.el5 oracle-xe-univ-10.2.0.1-1.0 oracle-instantclient-selinux-11.2.0.1-1.el5 oracle-lib-compat-11.2.0.6-1.el5 oracle-nofcontext-selinux-0.1.23.32-1.el5 Version-Release number of selected component (if applicable): oracle-xe-selinux-10.2.0.23-1.el5 oracle-instantclient-sqlplus-selinux-11.2.0.1-1.el5 How reproducible: Always with SELinux enforcing. Steps to Reproduce: 1. Follow the steps here (https://fedorahosted.org/spacewalk/wiki/SpacewalkBackup) for setting up the archive log in Oracle-XE for online backups. 2. Run the backup script located at /usr/lib/oracle/xe/app/oracle/product/10.2.0/server/config/scripts/backup.sh 3. Look in audit.log for denials Actual results: $ /usr/lib/oracle/xe/app/oracle/product/10.2.0/server/config/scripts/backup.sh ==================== ERROR ========================= Backup of the database failed ==================== ERROR ========================= flash recovery area is not enabled. Log file is at /usr/lib/oracle/xe/oxe_backup_current.log. Expected results: $ /usr/lib/oracle/xe/app/oracle/product/10.2.0/server/config/scripts/backup.sh Doing online backup of the database. Backup of the database succeeded. Log file is at /usr/lib/oracle/xe/oxe_backup_current.log. Additional info: I'm not sure what is causing the ptrace denials shown above, but it doesn't seem to be caused by running the backup.sh script.
** Update to Description ** I want to reword the actual and expected results so it states that even with the installed *-selinux packages, there are still selinux denials. The backup script failing to run successfully is not the main problem, but a manifestation of the underlying problem. Actual Results: Selinux denials for sqlplus and ptrace. Expected Results: No selinux denials for sqlplus and ptrace.
The ptrace AVC denial was addressed in Spacewalk master, d3ec414a58f5374f957963aa86656ca3449a81e1. I'm currently not able to reproduce the sqlplus denials (on RHEL 5.8), will investigate some more.
More fixes fixing the tmp_t issues went to Spacewalk master. Tagged as oracle-xe-selinux-10.2.0.24-1.
Moving ON_QA. Packages that address this bugzilla should now be available in yum repos at http://yum.spacewalkproject.org/nightly/
Spacewalk 1.8 has been released: https://fedorahosted.org/spacewalk/wiki/ReleaseNotes18