Problem running "selinux sandbox" with java

Bhuvan Gupta bhuvangu at gmail.com
Sun Dec 28 12:14:13 UTC 2014 

Hello all,
Greeting and happy new year to all.
I am trying to sandbox a java application using selinux sandbox.
System details: Redhat 6 | x86_64 | no x server install | jdk7 from oracle
tar.gz version | cgred and cgconfig are stop
The cmd (run as root)
*         sandbox /root/jdk/bin/java -version*
above cmd failed with
*         /root/jdk/bin/java: error while loading shared libraries:
libjli.so: cannot open shared object file: No such file or directory*

Digging, revealed that "libjli.so" is RPATH shared library. so i thought ok
since sandbox is copying my bin/java to /tmp/sandbox_random therefore a
hardcode path will not be found.
Then i change the RPATH using "chrpath" utility and changed it to a
hardcode value
But still it showed the same error.

Then i used the -M -i option of sandbox and ran following command (i
included all the .so file it complaint about):

*      sandbox -M -i /root/jdk/lib/amd64/jli/libjli.so -i
/root/jdk/jre/lib/amd64/libjava.so -i /root/jdk/jre/lib/amd64/jvm.cfg -i
/root/jdk/jre/lib/amd64/server/libjvm.so -i
 /root/jdk/jre/lib/amd64/libverify.so -i /root/jdk/jre/lib/amd64/libzip.so
/root/jdk/bin/java  -version*

Following command resulted in this error:
*Java HotSpot(TM) 64-Bit Server VM warning: INFO:
os::commit_memory(0x00007fb039000000, 2555904, 1) failed; error='Permission
denied' (errno=13)*
*#*
*# There is insufficient memory for the Java Runtime Environment to
continue.*
*# Native memory allocation (malloc) failed to allocate 2555904 bytes for
committing reserved memory.*
*# An error report file with more information is saved as:*
*# /root/hs_err_pid1270.log*

Now i used the strace to see what happened and strace printed(small
section)
*clone(child_stack=0,
flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD,
child_tidptr=0x7fb15b6359d0) = 8268*
*close(4)                                = 0*
*read(3, "", 1048576)                    = 0*
*close(3)                                = 0*
*wait4(8268, Java HotSpot(TM) 64-Bit Server VM warning: INFO:
os::commit_memory(0x00007f4579000000, 2555904, 1) failed; error='Permission
denied' (errno=13)*

I have enough space for sure

*Can you guys please indicate what might be wrong ?*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20141228/4ff33a0c/attachment.html>

More information about the selinux mailing list