Problem running "selinux sandbox" with java

Philip Seeley pseeley at au1.ibm.com
Sun Dec 28 23:12:31 UTC 2014 

Hi Gupta,

Did you restart the audit daemon after clearing the logs? Just deleting the
logs might have resulted in auditd continuing to write to the log you'd
unlinked from its directory.

Hope that helps...

Phil




From:	Bhuvan Gupta <bhuvangu at gmail.com>
To:	selinux at lists.fedoraproject.org
Date:	29/12/2014 04:41
Subject:	Re: Problem running "selinux sandbox" with java
Sent by:	selinux-bounces at lists.fedoraproject.org



sorry for the typo:
[1]  cleared all the /var/log/audit/* and ran the same command which give
memory error and no logs were generated i.e empty directory.

On Sun, Dec 28, 2014 at 11:07 PM, Bhuvan Gupta <bhuvangu at gmail.com> wrote:
  Hello William,
  My current selinux settings are:
  SELINUX=enforcing
  SELINUXTYPE=targeted

  [1]  cleared all the /var/log/audit/* and ran the same command which give
  memory error and all logs were generated i.e empty directory.

  [2]  install openjdk using "yum install java-1.7.0-openjdk-devel"  and
  ran the same command but using the openjdk java and it throw the same
  memory error
  OpenJDK 64-Bit Server VM warning: INFO: os::commit_memory
  (0x00007fdabd000000, 2555904, 1) failed; error='Permission
  denied' (errno=13)
  #
  # There is insufficient memory for the Java Runtime Environment to
  continue.
  # Native memory allocation (malloc) failed to allocate 2555904 bytes for
  committing reserved memory.




  On Sun, Dec 28, 2014 at 9:54 PM, William Muriithi <
  william.muriithi at gmail.com> wrote:

   Gupta,

   You should share your selinux logs. They are under /var/log/audit
   directory. Trigger the problem again and share the last couple of
   hundred lines.

   Before that though, find the directory openjdk installed and install sun
   java there. Don't think using root home directory is a good idea and
   selinux may be whining because of that. Or just install
   in /usr/local/bin

   William
   ‎

   Hello all,
   Greeting and happy new year to all.
   I am trying to sandbox a java application using selinux sandbox.
   System details: Redhat 6 | x86_64 | no x server install | jdk7 from
   oracle tar.gz version | cgred and cgconfig are stop
   The cmd (run as root)
            sandbox /root/jdk/bin/java -version
   above cmd failed with
            /root/jdk/bin/java: error while loading shared libraries:
   libjli.so: cannot open shared object file: No such file or directory

   Digging, revealed that "libjli.so" is RPATH shared library. so i thought
   ok since sandbox is copying my bin/java to /tmp/sandbox_random therefore
   a hardcode path will not be found.
   Then i change the RPATH using "chrpath" utility and changed it to a
   hardcode value
   But still it showed the same error.

   Then i used the -M -i option of sandbox and ran following command (i
   included all the .so file it complaint about):
         sandbox -M -i /root/jdk/lib/amd64/jli/libjli.so
   -i /root/jdk/jre/lib/amd64/libjava.so -i /root/jdk/jre/lib/amd64/jvm.cfg
   -i /root/jdk/jre/lib/amd64/server/libjvm.so -i
   /root/jdk/jre/lib/amd64/libverify.so
   -i /root/jdk/jre/lib/amd64/libzip.so /root/jdk/bin/java  -version

   Following command resulted in this error:
   Java HotSpot(TM) 64-Bit Server VM warning: INFO: os::commit_memory
   (0x00007fb039000000, 2555904, 1) failed; error='Permission
   denied' (errno=13)
   #
   # There is insufficient memory for the Java Runtime Environment to
   continue.
   # Native memory allocation (malloc) failed to allocate 2555904 bytes for
   committing reserved memory.
   # An error report file with more information is saved as:
   # /root/hs_err_pid1270.log

   Now i used the strace to see what happened and strace printed(small
   section)
   clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|
   SIGCHLD, child_tidptr=0x7fb15b6359d0) = 8268
   close(4)                                = 0
   read(3, "", 1048576)                    = 0
   close(3)                                = 0
   wait4(8268, Java HotSpot(TM) 64-Bit Server VM warning: INFO:
   os::commit_memory(0x00007f4579000000, 2555904, 1) failed;
   error='Permission denied' (errno=13)

   I have enough space for sure

   Can you guys please indicate what might be wrong ?


  On Sun, Dec 28, 2014 at 9:54 PM, William Muriithi <
  william.muriithi at gmail.com> wrote:
   Gupta,

   You should share your selinux logs. They are under /var/log/audit
   directory. Trigger the problem again and share the last couple of
   hundred lines.

   Before that though, find the directory openjdk installed and install sun
   java there. Don't think using root home directory is a good idea and
   selinux may be whining because of that. Or just install
   in /usr/local/bin

   William
   ‎

   Hello all,
   Greeting and happy new year to all.
   I am trying to sandbox a java application using selinux sandbox.
   System details: Redhat 6 | x86_64 | no x server install | jdk7 from
   oracle tar.gz version | cgred and cgconfig are stop
   The cmd (run as root)
            sandbox /root/jdk/bin/java -version
   above cmd failed with
            /root/jdk/bin/java: error while loading shared libraries:
   libjli.so: cannot open shared object file: No such file or directory

   Digging, revealed that "libjli.so" is RPATH shared library. so i thought
   ok since sandbox is copying my bin/java to /tmp/sandbox_random therefore
   a hardcode path will not be found.
   Then i change the RPATH using "chrpath" utility and changed it to a
   hardcode value
   But still it showed the same error.

   Then i used the -M -i option of sandbox and ran following command (i
   included all the .so file it complaint about):
         sandbox -M -i /root/jdk/lib/amd64/jli/libjli.so
   -i /root/jdk/jre/lib/amd64/libjava.so -i /root/jdk/jre/lib/amd64/jvm.cfg
   -i /root/jdk/jre/lib/amd64/server/libjvm.so -i
   /root/jdk/jre/lib/amd64/libverify.so
   -i /root/jdk/jre/lib/amd64/libzip.so /root/jdk/bin/java  -version

   Following command resulted in this error:
   Java HotSpot(TM) 64-Bit Server VM warning: INFO: os::commit_memory
   (0x00007fb039000000, 2555904, 1) failed; error='Permission
   denied' (errno=13)
   #
   # There is insufficient memory for the Java Runtime Environment to
   continue.
   # Native memory allocation (malloc) failed to allocate 2555904 bytes for
   committing reserved memory.
   # An error report file with more information is saved as:
   # /root/hs_err_pid1270.log

   Now i used the strace to see what happened and strace printed(small
   section)
   clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|
   SIGCHLD, child_tidptr=0x7fb15b6359d0) = 8268
   close(4)                                = 0
   read(3, "", 1048576)                    = 0
   close(3)                                = 0
   wait4(8268, Java HotSpot(TM) 64-Bit Server VM warning: INFO:
   os::commit_memory(0x00007f4579000000, 2555904, 1) failed;
   error='Permission denied' (errno=13)

   I have enough space for sure

   Can you guys please indicate what might be wrong ?


--
selinux mailing list
selinux at lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

More information about the selinux mailing list