Problem running "selinux sandbox" with java

Bhuvan Gupta bhuvangu at gmail.com
Sun Dec 28 17:48:47 UTC 2014 

Also i tried
* sandbox java -version*

Here java is from openjdk

It throw the same memory error.(below is the result of running the above
command)

*OpenJDK 64-Bit Server VM warning: INFO:
os::commit_memory(0x00007fbb74246000, 2555904, 1) failed; error='Permission
denied' (errno=13)*
*#*
*# There is insufficient memory for the Java Runtime Environment to
continue.*
*# Native memory allocation (malloc) failed to allocate 2555904 bytes for
committing reserved memory.*
*# Can not save log file, dump to screen..*
*#*
*# There is insufficient memory for the Java Runtime Environment to
continue.*
*# Native memory allocation (malloc) failed to allocate 2555904 bytes for
committing reserved memory.*
*# Possible reasons:*
*#   The system is out of physical RAM or swap space*
*#   In 32 bit mode, the process size limit was hit*
*# Possible solutions:*
*#   Reduce memory load on the system*
*#   Increase physical memory or swap space*
*#   Check if swap backing store is full*
*#   Use 64 bit Java on a 64 bit OS*
*#   Decrease Java heap size (-Xmx/-Xms)*
*#   Decrease number of Java threads*
*#   Decrease Java thread stack sizes (-Xss)*
*#   Set larger code cache with -XX:ReservedCodeCacheSize=*
*# This output file may be truncated or incomplete.*
*#*
*#  Out of Memory Error (os_linux.cpp:2798), pid=2248, tid=140443161286400*
*#*
*# JRE version:  (7.0_71-b14) (build )*
*# Java VM: OpenJDK 64-Bit Server VM (24.65-b04 mixed mode linux-amd64
compressed oops)*
*# Derivative: IcedTea 2.5.3*
*# Distribution: Built on Red Hat Enterprise Linux Server release 6.6
(Santiago) (Mon Dec 15 09:26:58 EST 2014)*
*# Failed to write core dump. Core dumps have been disabled. To enable core
dumping, try "ulimit -c unlimited" before starting Java again*
*#*


On Sun, Dec 28, 2014 at 11:11 PM, Bhuvan Gupta <bhuvangu at gmail.com> wrote:

> sorry for the typo:
>
> [1]  cleared all the /var/log/audit/* and ran the same command which give
> memory error and no logs were generated i.e empty directory.
>
>
> On Sun, Dec 28, 2014 at 11:07 PM, Bhuvan Gupta <bhuvangu at gmail.com> wrote:
>
>> Hello William,
>> My current selinux settings are:
>> SELINUX=enforcing
>> SELINUXTYPE=targeted
>>
>> [1]  cleared all the /var/log/audit/* and ran the same command which
>> give memory error and all logs were generated i.e empty directory.
>>
>> [2]  install openjdk using "yum install java-1.7.0-openjdk-devel"  and
>> ran the same command but using the openjdk java and it throw the same
>> memory error
>> *OpenJDK 64-Bit Server VM warning: INFO:
>> os::commit_memory(0x00007fdabd000000, 2555904, 1) failed; error='Permission
>> denied' (errno=13)*
>> *#*
>> *# There is insufficient memory for the Java Runtime Environment to
>> continue.*
>> *# Native memory allocation (malloc) failed to allocate 2555904 bytes for
>> committing reserved memory.*
>>
>>
>>
>>
>> On Sun, Dec 28, 2014 at 9:54 PM, William Muriithi <
>> william.muriithi at gmail.com> wrote:
>>
>> Gupta,
>>>
>>> You should share your selinux logs. They are under /var/log/audit
>>> directory. Trigger the problem again and share the last couple of hundred
>>> lines.
>>>
>>> Before that though, find the directory openjdk installed and install sun
>>> java there. Don't think using root home directory is a good idea and
>>> selinux may be whining because of that. Or just install in /usr/local/bin
>>>
>>> William
>>>>>>
>>> Hello all,
>>> Greeting and happy new year to all.
>>> I am trying to sandbox a java application using selinux sandbox.
>>> System details: Redhat 6 | x86_64 | no x server install | jdk7 from
>>> oracle tar.gz version | cgred and cgconfig are stop
>>> The cmd (run as root)
>>>          sandbox /root/jdk/bin/java -version
>>> above cmd failed with
>>>          /root/jdk/bin/java: error while loading shared libraries:
>>> libjli.so: cannot open shared object file: No such file or directory
>>>
>>> Digging, revealed that "libjli.so" is RPATH shared library. so i thought
>>> ok since sandbox is copying my bin/java to /tmp/sandbox_random therefore a
>>> hardcode path will not be found.
>>> Then i change the RPATH using "chrpath" utility and changed it to a
>>> hardcode value
>>> But still it showed the same error.
>>>
>>> Then i used the -M -i option of sandbox and ran following command (i
>>> included all the .so file it complaint about):
>>>       sandbox -M -i /root/jdk/lib/amd64/jli/libjli.so -i
>>> /root/jdk/jre/lib/amd64/libjava.so -i /root/jdk/jre/lib/amd64/jvm.cfg -i
>>> /root/jdk/jre/lib/amd64/server/libjvm.so -i
>>>  /root/jdk/jre/lib/amd64/libverify.so -i /root/jdk/jre/lib/amd64/libzip.so
>>> /root/jdk/bin/java  -version
>>>
>>> Following command resulted in this error:
>>> Java HotSpot(TM) 64-Bit Server VM warning: INFO:
>>> os::commit_memory(0x00007fb039000000, 2555904, 1) failed; error='Permission
>>> denied' (errno=13)
>>> #
>>> # There is insufficient memory for the Java Runtime Environment to
>>> continue.
>>> # Native memory allocation (malloc) failed to allocate 2555904 bytes for
>>> committing reserved memory.
>>> # An error report file with more information is saved as:
>>> # /root/hs_err_pid1270.log
>>>
>>> Now i used the strace to see what happened and strace printed(small
>>> section)
>>> clone(child_stack=0,
>>> flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD,
>>> child_tidptr=0x7fb15b6359d0) = 8268
>>> close(4)                                = 0
>>> read(3, "", 1048576)                    = 0
>>> close(3)                                = 0
>>> wait4(8268, Java HotSpot(TM) 64-Bit Server VM warning: INFO:
>>> os::commit_memory(0x00007f4579000000, 2555904, 1) failed; error='Permission
>>> denied' (errno=13)
>>>
>>> I have enough space for sure
>>>
>>> Can you guys please indicate what might be wrong ?
>>>
>>>
>> On Sun, Dec 28, 2014 at 9:54 PM, William Muriithi <
>> william.muriithi at gmail.com> wrote:
>>
>>> Gupta,
>>>
>>> You should share your selinux logs. They are under /var/log/audit
>>> directory. Trigger the problem again and share the last couple of hundred
>>> lines.
>>>
>>> Before that though, find the directory openjdk installed and install sun
>>> java there. Don't think using root home directory is a good idea and
>>> selinux may be whining because of that. Or just install in /usr/local/bin
>>>
>>> William
>>>>>>
>>> Hello all,
>>> Greeting and happy new year to all.
>>> I am trying to sandbox a java application using selinux sandbox.
>>> System details: Redhat 6 | x86_64 | no x server install | jdk7 from
>>> oracle tar.gz version | cgred and cgconfig are stop
>>> The cmd (run as root)
>>>          sandbox /root/jdk/bin/java -version
>>> above cmd failed with
>>>          /root/jdk/bin/java: error while loading shared libraries:
>>> libjli.so: cannot open shared object file: No such file or directory
>>>
>>> Digging, revealed that "libjli.so" is RPATH shared library. so i thought
>>> ok since sandbox is copying my bin/java to /tmp/sandbox_random therefore a
>>> hardcode path will not be found.
>>> Then i change the RPATH using "chrpath" utility and changed it to a
>>> hardcode value
>>> But still it showed the same error.
>>>
>>> Then i used the -M -i option of sandbox and ran following command (i
>>> included all the .so file it complaint about):
>>>       sandbox -M -i /root/jdk/lib/amd64/jli/libjli.so -i
>>> /root/jdk/jre/lib/amd64/libjava.so -i /root/jdk/jre/lib/amd64/jvm.cfg -i
>>> /root/jdk/jre/lib/amd64/server/libjvm.so -i
>>>  /root/jdk/jre/lib/amd64/libverify.so -i /root/jdk/jre/lib/amd64/libzip.so
>>> /root/jdk/bin/java  -version
>>>
>>> Following command resulted in this error:
>>> Java HotSpot(TM) 64-Bit Server VM warning: INFO:
>>> os::commit_memory(0x00007fb039000000, 2555904, 1) failed; error='Permission
>>> denied' (errno=13)
>>> #
>>> # There is insufficient memory for the Java Runtime Environment to
>>> continue.
>>> # Native memory allocation (malloc) failed to allocate 2555904 bytes for
>>> committing reserved memory.
>>> # An error report file with more information is saved as:
>>> # /root/hs_err_pid1270.log
>>>
>>> Now i used the strace to see what happened and strace printed(small
>>> section)
>>> clone(child_stack=0,
>>> flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD,
>>> child_tidptr=0x7fb15b6359d0) = 8268
>>> close(4)                                = 0
>>> read(3, "", 1048576)                    = 0
>>> close(3)                                = 0
>>> wait4(8268, Java HotSpot(TM) 64-Bit Server VM warning: INFO:
>>> os::commit_memory(0x00007f4579000000, 2555904, 1) failed; error='Permission
>>> denied' (errno=13)
>>>
>>> I have enough space for sure
>>>
>>> Can you guys please indicate what might be wrong ?
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20141228/0c6f2d68/attachment-0001.html>

More information about the selinux mailing list