Hi Hans,
So far oracle has always recommended to disable SELinux (which exists already
many years) for (all) oracle installations, as far as I am aware of.
Hence it does not surprise me it is by default disabled on (all) Engineered
systems, including Exadata.
I guess it should not be impossible to enable, but may still be a matter of
compatibility and support whether to ignore or agree to recommendations that
exist.
If there are any new developments or experiences in this area, I am just like
you, v
ery interested in learning more.
Also I think anyhow db systems are rarely accessed from outside a company
directly, and thus the probability of an issue is slightly lower.
SE-Linux won't protect you from malicious co-workers -that have legitimate
access - that much, in my opinion.
Sensitive (gdpr) data is often inside ASM on larger systems, which SE-Linux
isn't much integrated with.
Oracle has some security stuff under the hood,
that allows auditing and protection (enhanced security, label security, vault,
tde (encryption), ...)
to mitigate security issues on another level of your software stack.
However, I guess you have already considered the latter, and I understand your
question is limited to SE-Linux in particular?
Thanks for sharing your comments and considerations on my reply,
Kind regards
Leander
From: exabelux-bounce@xxxxxxxxxxxxx [mailto:exabelux-bounce@xxxxxxxxxxxxx] On ;
Behalf Of GELAUDE Hans (HGEL)
Sent: Wednesday, February 20, 2019 12:12
To: exabelux@xxxxxxxxxxxxx
Subject: [exabelux] Exadata and SELinux
Hello All,
With GDPR awareness, more and more customers having "deeper" knowledge of
security. And also "tougher" questions regarding security.
Why is SELinux is not by default activated on Exadata?
Who has experience with SELinux (Security-Enhanced Linux) on Exadata?
Is it possible? How? What needs to be changed?
Is it advisable? Why? Why not?
I can find documents in MOS with bugs in mounting root and also in the working
of RAC, after enabling SELinux. But only for older Exadata systems and/or older
Oracle versions.
Is this still an issue for Exadata X6 and higher, and Oracle 18c and higher?
Kind regards
Hans
Mazda Motor Logistics Europe NV, Blaasveldstraat 162, B-2830 Willebroek,
infomle@xxxxxxxxxxxx
VAT BE 0406.024.281, RPR Antwerpen (division Mechelen), ING 310-0092504-52,
IBAN : BE64 3100 0925 0452, SWIFT : BBRUBEBB
This e-mail is intended to be used by the recipient(s) only. The information
contained in this e-mail and the attached files, if any, is confidential and
may be protected by intellectual property or other rights. If you receive this
e-mail by mistake, please notify the sender, remove this e-mail from your
system and delete all copies of it. You may not, directly or indirectly, use
(any part of) this e-mail if you are not the intended recipient.
The e-mails and the attached files have been checked for viruses according to
standard procedures, but this does not guarantee that the e-mail and/or
attached files are free of viruses. Mazda does not accept any liability in this
respect. Always scan attachments before opening them.
This e-mail does not constitute a commitment by Mazda to enter into or assume
any obligation, contractual, financial or otherwise, nor a warranty or
representation, except when expressly otherwise agreed in a separate written
agreement between the recipient and Mazda.