Kevin Kempf's Blog

October 10, 2011

SELinux & RedHat Reboots

Filed under: Uncategorized — kkempf @ 8:15 am

PC Load letter

So I’m working a maintenance window yesterday which required a reboot of a RHEL5 production server which houses 4 non-11i Oracle databases.  It had been nearly a year since the last reboot (!) and I badly needed a kernel update.  After the reboot, I go to start the listener on my Kronos (timekeeping) database, and I get this:

$ lsnrctl start KRONOS 
lsnrctl: error while loading shared libraries: /u01/kronos/kronosdb/11.1.0/lib/libnnz11.so: cannot restore segment prot after reloc: Permission denied

I have to confess, I’ve actually hit this before, but it had been a long time (at least a year) and I had to knock the cobwebs free to remember the solution. In short, SELinux doesn’t allow this shared library to be accessed, and this will stop your listener, sqlplus, webcache, or other executable from starting. The quick fix is rather simple: disable SELinux as follows:

 
# su - 
# getenforce 
Enforcing 
# setenforce 0 
# exit 
$ lsnrctl start KRONOS 
LSNRCTL for Linux: Version 11.1.0.7.0 - Production on 09-OCT-2011 10:23:19 Copyright (c) 1991, 2008, Oracle. All rights reserved. 
Starting /u01/kronos/kronosdb/11.1.0/bin/tnslsnr: please wait... 
...
The command completed successfully

The better answer?

If you check Doc ID 454196.1, you will see that Oracle has a few solutions for it, as even they recognize that disabling SELinux is bad policy. First, it appears there is a patch for RDBMS 11.2.0.1 (9215184) and that the issue is resolved in 11.2.0.2. For those of us who don’t consider an RDBMS upgrade a solution, apparently Red Hat has a bug filed for this. Interesting, as if you read it, you will see that Oracle built their shared library wrong, and RedHat had to essentially create a new SELinux rule for this in RHEL5.5:

Fixed in selinux-policy-2.4.6-256.el5
I believe this has missed RHEL5.4, so it will be in RHEL5.5

Note that this seems a little suspect, as I checked my release and it would appear to be fine:
# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 5.7 (Tikanga)

Advertisements

Create a free website or blog at WordPress.com.