Problem running "selinux sandbox" with java

Bhuvan Gupta bhuvangu at gmail.com
Sun Dec 28 17:41:05 UTC 2014 

sorry for the typo:

[1]  cleared all the /var/log/audit/* and ran the same command which give
memory error and no logs were generated i.e empty directory.


On Sun, Dec 28, 2014 at 11:07 PM, Bhuvan Gupta <bhuvangu at gmail.com> wrote:

> Hello William,
> My current selinux settings are:
> SELINUX=enforcing
> SELINUXTYPE=targeted
>
> [1]  cleared all the /var/log/audit/* and ran the same command which give
> memory error and all logs were generated i.e empty directory.
>
> [2]  install openjdk using "yum install java-1.7.0-openjdk-devel"  and
> ran the same command but using the openjdk java and it throw the same
> memory error
> *OpenJDK 64-Bit Server VM warning: INFO:
> os::commit_memory(0x00007fdabd000000, 2555904, 1) failed; error='Permission
> denied' (errno=13)*
> *#*
> *# There is insufficient memory for the Java Runtime Environment to
> continue.*
> *# Native memory allocation (malloc) failed to allocate 2555904 bytes for
> committing reserved memory.*
>
>
>
>
> On Sun, Dec 28, 2014 at 9:54 PM, William Muriithi <
> william.muriithi at gmail.com> wrote:
>
> Gupta,
>>
>> You should share your selinux logs. They are under /var/log/audit
>> directory. Trigger the problem again and share the last couple of hundred
>> lines.
>>
>> Before that though, find the directory openjdk installed and install sun
>> java there. Don't think using root home directory is a good idea and
>> selinux may be whining because of that. Or just install in /usr/local/bin
>>
>> William
>>>>
>> Hello all,
>> Greeting and happy new year to all.
>> I am trying to sandbox a java application using selinux sandbox.
>> System details: Redhat 6 | x86_64 | no x server install | jdk7 from
>> oracle tar.gz version | cgred and cgconfig are stop
>> The cmd (run as root)
>>          sandbox /root/jdk/bin/java -version
>> above cmd failed with
>>          /root/jdk/bin/java: error while loading shared libraries:
>> libjli.so: cannot open shared object file: No such file or directory
>>
>> Digging, revealed that "libjli.so" is RPATH shared library. so i thought
>> ok since sandbox is copying my bin/java to /tmp/sandbox_random therefore a
>> hardcode path will not be found.
>> Then i change the RPATH using "chrpath" utility and changed it to a
>> hardcode value
>> But still it showed the same error.
>>
>> Then i used the -M -i option of sandbox and ran following command (i
>> included all the .so file it complaint about):
>>       sandbox -M -i /root/jdk/lib/amd64/jli/libjli.so -i
>> /root/jdk/jre/lib/amd64/libjava.so -i /root/jdk/jre/lib/amd64/jvm.cfg -i
>> /root/jdk/jre/lib/amd64/server/libjvm.so -i
>>  /root/jdk/jre/lib/amd64/libverify.so -i /root/jdk/jre/lib/amd64/libzip.so
>> /root/jdk/bin/java  -version
>>
>> Following command resulted in this error:
>> Java HotSpot(TM) 64-Bit Server VM warning: INFO:
>> os::commit_memory(0x00007fb039000000, 2555904, 1) failed; error='Permission
>> denied' (errno=13)
>> #
>> # There is insufficient memory for the Java Runtime Environment to
>> continue.
>> # Native memory allocation (malloc) failed to allocate 2555904 bytes for
>> committing reserved memory.
>> # An error report file with more information is saved as:
>> # /root/hs_err_pid1270.log
>>
>> Now i used the strace to see what happened and strace printed(small
>> section)
>> clone(child_stack=0,
>> flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD,
>> child_tidptr=0x7fb15b6359d0) = 8268
>> close(4)                                = 0
>> read(3, "", 1048576)                    = 0
>> close(3)                                = 0
>> wait4(8268, Java HotSpot(TM) 64-Bit Server VM warning: INFO:
>> os::commit_memory(0x00007f4579000000, 2555904, 1) failed; error='Permission
>> denied' (errno=13)
>>
>> I have enough space for sure
>>
>> Can you guys please indicate what might be wrong ?
>>
>>
> On Sun, Dec 28, 2014 at 9:54 PM, William Muriithi <
> william.muriithi at gmail.com> wrote:
>
>> Gupta,
>>
>> You should share your selinux logs. They are under /var/log/audit
>> directory. Trigger the problem again and share the last couple of hundred
>> lines.
>>
>> Before that though, find the directory openjdk installed and install sun
>> java there. Don't think using root home directory is a good idea and
>> selinux may be whining because of that. Or just install in /usr/local/bin
>>
>> William
>>>>
>> Hello all,
>> Greeting and happy new year to all.
>> I am trying to sandbox a java application using selinux sandbox.
>> System details: Redhat 6 | x86_64 | no x server install | jdk7 from
>> oracle tar.gz version | cgred and cgconfig are stop
>> The cmd (run as root)
>>          sandbox /root/jdk/bin/java -version
>> above cmd failed with
>>          /root/jdk/bin/java: error while loading shared libraries:
>> libjli.so: cannot open shared object file: No such file or directory
>>
>> Digging, revealed that "libjli.so" is RPATH shared library. so i thought
>> ok since sandbox is copying my bin/java to /tmp/sandbox_random therefore a
>> hardcode path will not be found.
>> Then i change the RPATH using "chrpath" utility and changed it to a
>> hardcode value
>> But still it showed the same error.
>>
>> Then i used the -M -i option of sandbox and ran following command (i
>> included all the .so file it complaint about):
>>       sandbox -M -i /root/jdk/lib/amd64/jli/libjli.so -i
>> /root/jdk/jre/lib/amd64/libjava.so -i /root/jdk/jre/lib/amd64/jvm.cfg -i
>> /root/jdk/jre/lib/amd64/server/libjvm.so -i
>>  /root/jdk/jre/lib/amd64/libverify.so -i /root/jdk/jre/lib/amd64/libzip.so
>> /root/jdk/bin/java  -version
>>
>> Following command resulted in this error:
>> Java HotSpot(TM) 64-Bit Server VM warning: INFO:
>> os::commit_memory(0x00007fb039000000, 2555904, 1) failed; error='Permission
>> denied' (errno=13)
>> #
>> # There is insufficient memory for the Java Runtime Environment to
>> continue.
>> # Native memory allocation (malloc) failed to allocate 2555904 bytes for
>> committing reserved memory.
>> # An error report file with more information is saved as:
>> # /root/hs_err_pid1270.log
>>
>> Now i used the strace to see what happened and strace printed(small
>> section)
>> clone(child_stack=0,
>> flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD,
>> child_tidptr=0x7fb15b6359d0) = 8268
>> close(4)                                = 0
>> read(3, "", 1048576)                    = 0
>> close(3)                                = 0
>> wait4(8268, Java HotSpot(TM) 64-Bit Server VM warning: INFO:
>> os::commit_memory(0x00007f4579000000, 2555904, 1) failed; error='Permission
>> denied' (errno=13)
>>
>> I have enough space for sure
>>
>> Can you guys please indicate what might be wrong ?
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20141228/bcb456ac/attachment.html>

More information about the selinux mailing list