Vinicius DBA

Marcus Vinicius | Oracle ACE Pro ♠

Operating System

SELinux Blocking AHF/OSW from Writing Logs – How to Fix It

ByVinicius

Feb 10, 2025 #ahf, #denied, #marcus vinicius miguel pedro, #oracle ace, #oswatcher, #scontext, #selinux, #semodule, #viniciusdba

Hi everyone,

Hope you’re doing good.

I was working for a client and they complained about some errors they found on logs about AHF/OSWatcher and SELinux.

Here are the errors they found (output truncated to make reading easier):

type=AVC msg=audit(1726515744.9:642519): avc:  denied  { append } for  pid=1443468 comm="ip" path="/u01/app/grid/oracle.ahf/data/repository/suptools/dsloracpp01/oswbb/oracle/archive/oswifconfig/dsloracpp01_ifconfig_24.09.16.15000.dat" dev="dm-12" ino=410185890 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file permissive=0

type=AVC msg=audit(1726515744.9:642519): avc:  denied  { append } for  pid=1443468 comm="ip" path="/u01/app/grid/oracle.ahf/data/repository/suptools/dsloracpp01/oswbb/oracle/run_1726252447.log" dev="dm-12" ino=13430405 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file permissive=0

type=SYSCALL msg=audit(1726515744.9:642519): arch=x86_64 syscall=execve success=yes exit=0 a0=55b67c189980 a1=55b67c18ae10 a2=55b67c18bbd0 a3=1b6 items=0 ppid=1443450 pid=1443468 auid=4294967295 uid=500 gid=54321 euid=500 suid=500 fsuid=500 egid=54321 sgid=54321 fsgid=54321 tty=(none) ses=4294967295 comm="ip" exe=/usr/sbin/ip subj=system_u:system_r:ifconfig_t:s0 key=(null)

This means that SELinux is denying the access from OSWatcher on some files and also denying some commands from OSWatcher:

Files with access denied:

  • u01/app/grid/oracle.ahf/data/repository/suptools/dsloracpp01/oswbb/oracle/run_1726252447.log
  • /u01/app/grid/oracle.ahf/data/repository/suptools/dsloracpp01/oswbb/oracle/archive/oswifconfig/dsloracpp01_ifconfig_24.09.16.15000.dat

Command with access denied to append the logs:

  • ip

Breaking it Down:

  • avc: denied { append } → SELinux denied the append operation.
  • comm=”ip” → The command attempting the operation is ip (used for network configuration).
  • path=”/u01/app/grid/oracle.ahf/data/repository/…ifconfig_24.09.16.15000.dat”
    • The ip command is trying to append to this file inside the Oracle AHF directory.
  • scontext=system_u:system_r:ifconfig_t:s0
    • The source security context (ifconfig_t) is assigned to the ip command.
  • tcontext=system_u:object_r:default_t:s0
    • The target file’s context (default_t) suggests it might not have been labeled correctly.
  • tclass=file permissive=0
    • Since permissive=0, SELinux is enforcing this policy and actively blocking the operation.

The client asked us to fix the issue instead of disabling SELinux.

So, from the audit.log where we have the denials, we generated a SELinux module to allow this access:

cat /var/log/audit/audit.log | grep "denied" | audit2allow -M allow_ip_oracle

This command will create two files:

  • allow_ip_oracle.te: This is the policy source file.
  • allow_ip_oracle.pp: This is the compiled policy package.

Below I will show the content for the policy source file:

module allow_ip_oracle 1.0;

require {
	type ifconfig_t;
	type su_exec_t;
	type sysstat_t;
	type ping_t;
	type init_t;
	type dmesg_t;
	type default_t;
	class file { append execute read write };
}

#============= dmesg_t ==============
allow dmesg_t default_t:file write;

#============= ifconfig_t ==============
allow ifconfig_t default_t:file { append read write };

#============= init_t ==============
allow init_t su_exec_t:file { execute read };

#============= ping_t ==============
allow ping_t default_t:file write;

#============= sysstat_t ==============
allow sysstat_t default_t:file write;

You can save the source file for reference or future changes. As long you have the compiled policy package, you just need to install it:

semodule -i allow_ip_oracle.pp

You can confirm if the module has been installed:

semodule -l | grep allow_ip_oracle
allow_ip_oracle

If you only have the source and would like to compile it to install it, you will need to install the package selinux-policy-devel on Linux:

So, as root, perform the install for selinux-policy-devel package (output truncated to make it easy to read:):

dnf install -y selinux-policy-devel

Upgraded:
  selinux-policy-3.14.3-139.0.1.el8_10.1.noarch             selinux-policy-targeted-3.14.3-139.0.1.el8_10.1.noarch            
Installed:
  m4-1.4.18-7.el8.aarch64 policycoreutils-devel-2.9-26.0.1.el8_10.aarch64 selinux-policy-devel-3.14.3-139.0.1.el8_10.1.noarch

Complete!

Once you have the package installed on Linux, compile the module:

checkmodule -M -m -o allow_ip_oracle.mod allow_ip_oracle.te

This will compile the source (.te file) into a module file (.mod).

Then run this:

semodule_package -o allow_ip_oracle.pp -m allow_ip_oracle.mod

This will compile the module into a policy package (.pp) file, which will be used to install it as we explained before:

semodule -i allow_ip_oracle.pp

Hope it helps.

Peace!

Vinicius

By Vinicius

Related Post

Operating System

How to Customize the oracle-database-preinstall package?

Feb 3, 2025 Vinicius

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

You missed

Database Performance

LogMiner Eating Up the CPU

April 14, 2025 Vinicius
Administration Clusterware

Two Clusters with Same Name. How to Fix It?

March 31, 2025 Vinicius
Administration Clusterware

ORA-32000 when Cluster is in Rolling Patch

March 24, 2025 Vinicius
Cloud Uncategorized

How to Retrieve Oracle DB System Details Using SQL?

March 20, 2025 Vinicius