<div dir="ltr"><b><i>The issue is Resolved</i></b>. It turn out to be that the labeling of the file related to java(both openjdk and oracle java) was not correct in my redhat 6 system.<div>When i upgraded from redhat 6 to redhat 7 it started working all fine i.e </div><div><i>sandbox java -version </i>worked perfectly with no problems.</div><div><br></div><div>In my redhat 7 system the .so and other java related file are labeled as one of the following:</div><div><i>system_u:object_r:textrel_shlib_t:s0</i><br></div><div><i>system_u:object_r:lib_t:s0<br></i></div><div><br></div><div>in my earlier machine i.e redhat 6 all file were marked as something differently and hence i was getting the issue.</div><div><br></div><div>Thanks</div><div>Bhuvan</div><div><br></div><div><br></div><div><div><br></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Dec 29, 2014 at 11:28 PM, Bhuvan Gupta <span dir="ltr"><<a href="mailto:bhuvangu@gmail.com" target="_blank">bhuvangu@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hello Philip,<div><br></div><div>Yep you are right. restarting the audit <span style="font-size:13px">daemon</span><span style="font-size:13px"> worked and it started giving error.</span></div><div>I will analyze the logs and do some more test cycles and then post all my finding here.</div><div><br></div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Dec 29, 2014 at 4:42 AM, Philip Seeley <span dir="ltr"><<a href="mailto:pseeley@au1.ibm.com" target="_blank">pseeley@au1.ibm.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Gupta,<br>
<br>
Did you restart the audit daemon after clearing the logs? Just deleting the<br>
logs might have resulted in auditd continuing to write to the log you'd<br>
unlinked from its directory.<br>
<br>
Hope that helps...<br>
<br>
Phil<br>
<br>
<br>
<br>
<br>
From: Bhuvan Gupta <<a href="mailto:bhuvangu@gmail.com" target="_blank">bhuvangu@gmail.com</a>><br>
To: <a href="mailto:selinux@lists.fedoraproject.org" target="_blank">selinux@lists.fedoraproject.org</a><br>
Date: 29/12/2014 04:41<br>
Subject: Re: Problem running "selinux sandbox" with java<br>
Sent by: <a href="mailto:selinux-bounces@lists.fedoraproject.org" target="_blank">selinux-bounces@lists.fedoraproject.org</a><br>
<div><div><br>
<br>
<br>
sorry for the typo:<br>
[1] cleared all the /var/log/audit/* and ran the same command which give<br>
memory error and no logs were generated i.e empty directory.<br>
<br>
On Sun, Dec 28, 2014 at 11:07 PM, Bhuvan Gupta <<a href="mailto:bhuvangu@gmail.com" target="_blank">bhuvangu@gmail.com</a>> wrote:<br>
Hello William,<br>
My current selinux settings are:<br>
SELINUX=enforcing<br>
SELINUXTYPE=targeted<br>
<br>
[1] cleared all the /var/log/audit/* and ran the same command which give<br>
memory error and all logs were generated i.e empty directory.<br>
<br>
[2] install openjdk using "yum install java-1.7.0-openjdk-devel" and<br>
ran the same command but using the openjdk java and it throw the same<br>
memory error<br>
OpenJDK 64-Bit Server VM warning: INFO: os::commit_memory<br>
(0x00007fdabd000000, 2555904, 1) failed; error='Permission<br>
denied' (errno=13)<br>
#<br>
# There is insufficient memory for the Java Runtime Environment to<br>
continue.<br>
# Native memory allocation (malloc) failed to allocate 2555904 bytes for<br>
committing reserved memory.<br>
<br>
<br>
<br>
<br>
On Sun, Dec 28, 2014 at 9:54 PM, William Muriithi <<br>
<a href="mailto:william.muriithi@gmail.com" target="_blank">william.muriithi@gmail.com</a>> wrote:<br>
<br>
Gupta,<br>
<br>
You should share your selinux logs. They are under /var/log/audit<br>
directory. Trigger the problem again and share the last couple of<br>
hundred lines.<br>
<br>
Before that though, find the directory openjdk installed and install sun<br>
java there. Don't think using root home directory is a good idea and<br>
selinux may be whining because of that. Or just install<br>
in /usr/local/bin<br>
<br>
William<br>
<br>
<br>
Hello all,<br>
Greeting and happy new year to all.<br>
I am trying to sandbox a java application using selinux sandbox.<br>
System details: Redhat 6 | x86_64 | no x server install | jdk7 from<br>
oracle tar.gz version | cgred and cgconfig are stop<br>
The cmd (run as root)<br>
sandbox /root/jdk/bin/java -version<br>
above cmd failed with<br>
/root/jdk/bin/java: error while loading shared libraries:<br>
libjli.so: cannot open shared object file: No such file or directory<br>
<br>
Digging, revealed that "libjli.so" is RPATH shared library. so i thought<br>
ok since sandbox is copying my bin/java to /tmp/sandbox_random therefore<br>
a hardcode path will not be found.<br>
Then i change the RPATH using "chrpath" utility and changed it to a<br>
hardcode value<br>
But still it showed the same error.<br>
<br>
Then i used the -M -i option of sandbox and ran following command (i<br>
included all the .so file it complaint about):<br>
sandbox -M -i /root/jdk/lib/amd64/jli/libjli.so<br>
-i /root/jdk/jre/lib/amd64/libjava.so -i /root/jdk/jre/lib/amd64/jvm.cfg<br>
-i /root/jdk/jre/lib/amd64/server/libjvm.so -i<br>
/root/jdk/jre/lib/amd64/libverify.so<br>
-i /root/jdk/jre/lib/amd64/libzip.so /root/jdk/bin/java -version<br>
<br>
Following command resulted in this error:<br>
Java HotSpot(TM) 64-Bit Server VM warning: INFO: os::commit_memory<br>
(0x00007fb039000000, 2555904, 1) failed; error='Permission<br>
denied' (errno=13)<br>
#<br>
# There is insufficient memory for the Java Runtime Environment to<br>
continue.<br>
# Native memory allocation (malloc) failed to allocate 2555904 bytes for<br>
committing reserved memory.<br>
# An error report file with more information is saved as:<br>
# /root/hs_err_pid1270.log<br>
<br>
Now i used the strace to see what happened and strace printed(small<br>
section)<br>
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|<br>
SIGCHLD, child_tidptr=0x7fb15b6359d0) = 8268<br>
close(4) = 0<br>
read(3, "", 1048576) = 0<br>
close(3) = 0<br>
wait4(8268, Java HotSpot(TM) 64-Bit Server VM warning: INFO:<br>
os::commit_memory(0x00007f4579000000, 2555904, 1) failed;<br>
error='Permission denied' (errno=13)<br>
<br>
I have enough space for sure<br>
<br>
Can you guys please indicate what might be wrong ?<br>
<br>
<br>
On Sun, Dec 28, 2014 at 9:54 PM, William Muriithi <<br>
<a href="mailto:william.muriithi@gmail.com" target="_blank">william.muriithi@gmail.com</a>> wrote:<br>
Gupta,<br>
<br>
You should share your selinux logs. They are under /var/log/audit<br>
directory. Trigger the problem again and share the last couple of<br>
hundred lines.<br>
<br>
Before that though, find the directory openjdk installed and install sun<br>
java there. Don't think using root home directory is a good idea and<br>
selinux may be whining because of that. Or just install<br>
in /usr/local/bin<br>
<br>
William<br>
<br>
<br>
Hello all,<br>
Greeting and happy new year to all.<br>
I am trying to sandbox a java application using selinux sandbox.<br>
System details: Redhat 6 | x86_64 | no x server install | jdk7 from<br>
oracle tar.gz version | cgred and cgconfig are stop<br>
The cmd (run as root)<br>
sandbox /root/jdk/bin/java -version<br>
above cmd failed with<br>
/root/jdk/bin/java: error while loading shared libraries:<br>
libjli.so: cannot open shared object file: No such file or directory<br>
<br>
Digging, revealed that "libjli.so" is RPATH shared library. so i thought<br>
ok since sandbox is copying my bin/java to /tmp/sandbox_random therefore<br>
a hardcode path will not be found.<br>
Then i change the RPATH using "chrpath" utility and changed it to a<br>
hardcode value<br>
But still it showed the same error.<br>
<br>
Then i used the -M -i option of sandbox and ran following command (i<br>
included all the .so file it complaint about):<br>
sandbox -M -i /root/jdk/lib/amd64/jli/libjli.so<br>
-i /root/jdk/jre/lib/amd64/libjava.so -i /root/jdk/jre/lib/amd64/jvm.cfg<br>
-i /root/jdk/jre/lib/amd64/server/libjvm.so -i<br>
/root/jdk/jre/lib/amd64/libverify.so<br>
-i /root/jdk/jre/lib/amd64/libzip.so /root/jdk/bin/java -version<br>
<br>
Following command resulted in this error:<br>
Java HotSpot(TM) 64-Bit Server VM warning: INFO: os::commit_memory<br>
(0x00007fb039000000, 2555904, 1) failed; error='Permission<br>
denied' (errno=13)<br>
#<br>
# There is insufficient memory for the Java Runtime Environment to<br>
continue.<br>
# Native memory allocation (malloc) failed to allocate 2555904 bytes for<br>
committing reserved memory.<br>
# An error report file with more information is saved as:<br>
# /root/hs_err_pid1270.log<br>
<br>
Now i used the strace to see what happened and strace printed(small<br>
section)<br>
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|<br>
SIGCHLD, child_tidptr=0x7fb15b6359d0) = 8268<br>
close(4) = 0<br>
read(3, "", 1048576) = 0<br>
close(3) = 0<br>
wait4(8268, Java HotSpot(TM) 64-Bit Server VM warning: INFO:<br>
os::commit_memory(0x00007f4579000000, 2555904, 1) failed;<br>
error='Permission denied' (errno=13)<br>
<br>
I have enough space for sure<br>
<br>
Can you guys please indicate what might be wrong ?<br>
<br>
<br>
</div></div>--<br>
selinux mailing list<br>
<a href="mailto:selinux@lists.fedoraproject.org" target="_blank">selinux@lists.fedoraproject.org</a><br>
<a href="https://admin.fedoraproject.org/mailman/listinfo/selinux" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/selinux</a><br>
--<br>
selinux mailing list<br>
<a href="mailto:selinux@lists.fedoraproject.org" target="_blank">selinux@lists.fedoraproject.org</a><br>
<a href="https://admin.fedoraproject.org/mailman/listinfo/selinux" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/selinux</a></blockquote></div><br></div>
</div></div></blockquote></div><br></div>