1. Security Guide for Oracle Exadata
  2. Security Features of Oracle Exadata Database Machine
  3. Using Security-Enhanced Linux

2.1 Using Security-Enhanced Linux

Oracle Exadata System Software release 21.2.0 introduces support for Security-Enhanced Linux (SELinux) in Oracle Exadata.

SELinux is a Linux kernel security module that provides a mechanism for supporting access control security policies, including Mandatory Access Control (MAC).

Commencing with Oracle Exadata System Software release 21.2.0, every Linux installation on Oracle Exadata is equipped with a predefined SELinux policy that implements granular permissions for Exadata users, programs, processes, files, and devices. Each server also contains the host_access_control utility (/opt/oracle.cellos/host_access_control), which provides simple management and monitoring functions for SELinux on Oracle Exadata.

By default, every storage server, physical database server, virtual machine (VM) host, or VM database server contains the predefined Exadata security policy. However, SELinux is disabled by default.

You can choose to enable SELinux in permissive mode or enforcing mode. In permissive mode, SELinux actively monitors the system and records policy violations in the audit logs. However, no actions are blocked in permissive mode. When enforcing mode is enabled, SELinux actively blocks policy violations and records interventions in the audit logs.

Note the following regarding SELinux on Oracle Exadata:

  • If you choose to enable SELinux, it is strongly recommended to initially use permissive mode for some time to ensure that the predefined Exadata security policy works in conjunction with all the applications and procedures at your site. Additionally, you should test SELinux in permissive mode on an equivalent test system before using permissive mode on a production system.

    While the system is in permissive mode, you should use standard SELinux commands, such as ausearch, to monitor policy violations. If thorough system operation in permissive mode yields no policy violations, you can easily transition to enforcing mode.

  • The source files for the predefined Exadata security policy are located in /opt/oracle.SupportTools/selinux. The file context definitions are contained in /opt/oracle.SupportTools/selinux/Exadata.fc and the type enforcement definitions are contained in /opt/oracle.SupportTools/selinux/Exadata.te. You can view these files to understand the Exadata security policy.

  • Modifying the predefined Exadata security policy is not supported, and any unsupported modifications are overwritten the next time you upgrade the Oracle Exadata System Software.

  • You can implement additional security policies at your discretion. For example, you can hand-craft additional policies using standard SELinux operating system commands or use the audit2allow command to generate a policy definition that addresses policy violations recorded in the audit logs.

Use the following procedures to manage SELinux on Oracle Exadata:

Related Topics

Parent topic: Security Features of Oracle Exadata Database Machine