Preventing homedir relabel of Oracle XE files

[Daniel J Walsh]

Andrew Kroeger wrote:
> Greetings:
>
> I just updated to the latest FC5 policy (2.3.7-2), and saw all of the 
> files in my Oracle XE installation get relabeled to 
> user_u:object_r:user_home_t.  I was able to get Oracle XE installed 
> and running with SELinux enabled (details available at 
> http://forums.oracle.com/forums/message.jspa?messageID=1344572 -- 
> registration required), and that got hosed by the relabel.
>
> I initially thought something Oracle-specific had been added to the 
> new policy and caused the relabel.  After some searching, I discovered 
> entries in /etc/selinux/targeted/contexts/files/file_contexts.homedirs 
> (which is generated by genhomedircon) that had caused the relabel. 
> Further investigation showed that genhomedircon ignores "system" users 
> (UID < 500), but the Oracle RPM creates the "oracle" user as a 
> non-system user during the install.
What does the oracle user account look like?  Does it have a real login 
shell?  If you change the account to have a shell of /sbin/nologin, the 
labeleing should work correctly.
>
> Is there any way to provide an exception to the "oracle" user for 
> future policy updates?  I was able to get things working again by 
> re-labeling the affected files, but I would like to avoid that step 
> for each policy update that comes out.  Also, if specific policies are 
> created for Oracle XE in the future, would those override the homedir 
> policies for the non-system "oracle" user, or would there be potential 
> conflicts that would need to be resolved in that case?
>
> I appreciate any assistance that can be provided in this matter.
>
> Thanks,
> Andrew Kroeger
>
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list