Problem running "selinux sandbox" with java
Bhuvan Gupta
bhuvangu at gmail.com
Mon Dec 29 17:58:17 UTC 2014
Hello Philip,
Yep you are right. restarting the audit daemon worked and it started giving
error.
I will analyze the logs and do some more test cycles and then post all my
finding here.
On Mon, Dec 29, 2014 at 4:42 AM, Philip Seeley <pseeley at au1.ibm.com> wrote:
> Hi Gupta,
>
> Did you restart the audit daemon after clearing the logs? Just deleting the
> logs might have resulted in auditd continuing to write to the log you'd
> unlinked from its directory.
>
> Hope that helps...
>
> Phil
>
>
>
>
> From: Bhuvan Gupta <bhuvangu at gmail.com>
> To: selinux at lists.fedoraproject.org
> Date: 29/12/2014 04:41
> Subject: Re: Problem running "selinux sandbox" with java
> Sent by: selinux-bounces at lists.fedoraproject.org
>
>
>
> sorry for the typo:
> [1] cleared all the /var/log/audit/* and ran the same command which give
> memory error and no logs were generated i.e empty directory.
>
> On Sun, Dec 28, 2014 at 11:07 PM, Bhuvan Gupta <bhuvangu at gmail.com> wrote:
> Hello William,
> My current selinux settings are:
> SELINUX=enforcing
> SELINUXTYPE=targeted
>
> [1] cleared all the /var/log/audit/* and ran the same command which give
> memory error and all logs were generated i.e empty directory.
>
> [2] install openjdk using "yum install java-1.7.0-openjdk-devel" and
> ran the same command but using the openjdk java and it throw the same
> memory error
> OpenJDK 64-Bit Server VM warning: INFO: os::commit_memory
> (0x00007fdabd000000, 2555904, 1) failed; error='Permission
> denied' (errno=13)
> #
> # There is insufficient memory for the Java Runtime Environment to
> continue.
> # Native memory allocation (malloc) failed to allocate 2555904 bytes for
> committing reserved memory.
>
>
>
>
> On Sun, Dec 28, 2014 at 9:54 PM, William Muriithi <
> william.muriithi at gmail.com> wrote:
>
> Gupta,
>
> You should share your selinux logs. They are under /var/log/audit
> directory. Trigger the problem again and share the last couple of
> hundred lines.
>
> Before that though, find the directory openjdk installed and install sun
> java there. Don't think using root home directory is a good idea and
> selinux may be whining because of that. Or just install
> in /usr/local/bin
>
> William
>
>
> Hello all,
> Greeting and happy new year to all.
> I am trying to sandbox a java application using selinux sandbox.
> System details: Redhat 6 | x86_64 | no x server install | jdk7 from
> oracle tar.gz version | cgred and cgconfig are stop
> The cmd (run as root)
> sandbox /root/jdk/bin/java -version
> above cmd failed with
> /root/jdk/bin/java: error while loading shared libraries:
> libjli.so: cannot open shared object file: No such file or directory
>
> Digging, revealed that "libjli.so" is RPATH shared library. so i thought
> ok since sandbox is copying my bin/java to /tmp/sandbox_random therefore
> a hardcode path will not be found.
> Then i change the RPATH using "chrpath" utility and changed it to a
> hardcode value
> But still it showed the same error.
>
> Then i used the -M -i option of sandbox and ran following command (i
> included all the .so file it complaint about):
> sandbox -M -i /root/jdk/lib/amd64/jli/libjli.so
> -i /root/jdk/jre/lib/amd64/libjava.so -i /root/jdk/jre/lib/amd64/jvm.cfg
> -i /root/jdk/jre/lib/amd64/server/libjvm.so -i
> /root/jdk/jre/lib/amd64/libverify.so
> -i /root/jdk/jre/lib/amd64/libzip.so /root/jdk/bin/java -version
>
> Following command resulted in this error:
> Java HotSpot(TM) 64-Bit Server VM warning: INFO: os::commit_memory
> (0x00007fb039000000, 2555904, 1) failed; error='Permission
> denied' (errno=13)
> #
> # There is insufficient memory for the Java Runtime Environment to
> continue.
> # Native memory allocation (malloc) failed to allocate 2555904 bytes for
> committing reserved memory.
> # An error report file with more information is saved as:
> # /root/hs_err_pid1270.log
>
> Now i used the strace to see what happened and strace printed(small
> section)
> clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|
> SIGCHLD, child_tidptr=0x7fb15b6359d0) = 8268
> close(4) = 0
> read(3, "", 1048576) = 0
> close(3) = 0
> wait4(8268, Java HotSpot(TM) 64-Bit Server VM warning: INFO:
> os::commit_memory(0x00007f4579000000, 2555904, 1) failed;
> error='Permission denied' (errno=13)
>
> I have enough space for sure
>
> Can you guys please indicate what might be wrong ?
>
>
> On Sun, Dec 28, 2014 at 9:54 PM, William Muriithi <
> william.muriithi at gmail.com> wrote:
> Gupta,
>
> You should share your selinux logs. They are under /var/log/audit
> directory. Trigger the problem again and share the last couple of
> hundred lines.
>
> Before that though, find the directory openjdk installed and install sun
> java there. Don't think using root home directory is a good idea and
> selinux may be whining because of that. Or just install
> in /usr/local/bin
>
> William
>
>
> Hello all,
> Greeting and happy new year to all.
> I am trying to sandbox a java application using selinux sandbox.
> System details: Redhat 6 | x86_64 | no x server install | jdk7 from
> oracle tar.gz version | cgred and cgconfig are stop
> The cmd (run as root)
> sandbox /root/jdk/bin/java -version
> above cmd failed with
> /root/jdk/bin/java: error while loading shared libraries:
> libjli.so: cannot open shared object file: No such file or directory
>
> Digging, revealed that "libjli.so" is RPATH shared library. so i thought
> ok since sandbox is copying my bin/java to /tmp/sandbox_random therefore
> a hardcode path will not be found.
> Then i change the RPATH using "chrpath" utility and changed it to a
> hardcode value
> But still it showed the same error.
>
> Then i used the -M -i option of sandbox and ran following command (i
> included all the .so file it complaint about):
> sandbox -M -i /root/jdk/lib/amd64/jli/libjli.so
> -i /root/jdk/jre/lib/amd64/libjava.so -i /root/jdk/jre/lib/amd64/jvm.cfg
> -i /root/jdk/jre/lib/amd64/server/libjvm.so -i
> /root/jdk/jre/lib/amd64/libverify.so
> -i /root/jdk/jre/lib/amd64/libzip.so /root/jdk/bin/java -version
>
> Following command resulted in this error:
> Java HotSpot(TM) 64-Bit Server VM warning: INFO: os::commit_memory
> (0x00007fb039000000, 2555904, 1) failed; error='Permission
> denied' (errno=13)
> #
> # There is insufficient memory for the Java Runtime Environment to
> continue.
> # Native memory allocation (malloc) failed to allocate 2555904 bytes for
> committing reserved memory.
> # An error report file with more information is saved as:
> # /root/hs_err_pid1270.log
>
> Now i used the strace to see what happened and strace printed(small
> section)
> clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|
> SIGCHLD, child_tidptr=0x7fb15b6359d0) = 8268
> close(4) = 0
> read(3, "", 1048576) = 0
> close(3) = 0
> wait4(8268, Java HotSpot(TM) 64-Bit Server VM warning: INFO:
> os::commit_memory(0x00007f4579000000, 2555904, 1) failed;
> error='Permission denied' (errno=13)
>
> I have enough space for sure
>
> Can you guys please indicate what might be wrong ?
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20141229/40c233c1/attachment.html>
More information about the selinux
mailing list