Problem running "selinux sandbox" with java
Bhuvan Gupta
bhuvangu at gmail.com
Tue Dec 30 19:10:03 UTC 2014
*The issue is Resolved*. It turn out to be that the labeling of the file
related to java(both openjdk and oracle java) was not correct in my redhat
6 system.
When i upgraded from redhat 6 to redhat 7 it started working all fine i.e
*sandbox java -version *worked perfectly with no problems.
In my redhat 7 system the .so and other java related file are labeled as
one of the following:
*system_u:object_r:textrel_shlib_t:s0*
*system_u:object_r:lib_t:s0*
in my earlier machine i.e redhat 6 all file were marked as something
differently and hence i was getting the issue.
Thanks
Bhuvan
On Mon, Dec 29, 2014 at 11:28 PM, Bhuvan Gupta <bhuvangu at gmail.com> wrote:
> Hello Philip,
>
> Yep you are right. restarting the audit daemon worked and it started
> giving error.
> I will analyze the logs and do some more test cycles and then post all my
> finding here.
>
>
> On Mon, Dec 29, 2014 at 4:42 AM, Philip Seeley <pseeley at au1.ibm.com>
> wrote:
>
>> Hi Gupta,
>>
>> Did you restart the audit daemon after clearing the logs? Just deleting
>> the
>> logs might have resulted in auditd continuing to write to the log you'd
>> unlinked from its directory.
>>
>> Hope that helps...
>>
>> Phil
>>
>>
>>
>>
>> From: Bhuvan Gupta <bhuvangu at gmail.com>
>> To: selinux at lists.fedoraproject.org
>> Date: 29/12/2014 04:41
>> Subject: Re: Problem running "selinux sandbox" with java
>> Sent by: selinux-bounces at lists.fedoraproject.org
>>
>>
>>
>> sorry for the typo:
>> [1] cleared all the /var/log/audit/* and ran the same command which give
>> memory error and no logs were generated i.e empty directory.
>>
>> On Sun, Dec 28, 2014 at 11:07 PM, Bhuvan Gupta <bhuvangu at gmail.com>
>> wrote:
>> Hello William,
>> My current selinux settings are:
>> SELINUX=enforcing
>> SELINUXTYPE=targeted
>>
>> [1] cleared all the /var/log/audit/* and ran the same command which
>> give
>> memory error and all logs were generated i.e empty directory.
>>
>> [2] install openjdk using "yum install java-1.7.0-openjdk-devel" and
>> ran the same command but using the openjdk java and it throw the same
>> memory error
>> OpenJDK 64-Bit Server VM warning: INFO: os::commit_memory
>> (0x00007fdabd000000, 2555904, 1) failed; error='Permission
>> denied' (errno=13)
>> #
>> # There is insufficient memory for the Java Runtime Environment to
>> continue.
>> # Native memory allocation (malloc) failed to allocate 2555904 bytes for
>> committing reserved memory.
>>
>>
>>
>>
>> On Sun, Dec 28, 2014 at 9:54 PM, William Muriithi <
>> william.muriithi at gmail.com> wrote:
>>
>> Gupta,
>>
>> You should share your selinux logs. They are under /var/log/audit
>> directory. Trigger the problem again and share the last couple of
>> hundred lines.
>>
>> Before that though, find the directory openjdk installed and install
>> sun
>> java there. Don't think using root home directory is a good idea and
>> selinux may be whining because of that. Or just install
>> in /usr/local/bin
>>
>> William
>>
>>
>> Hello all,
>> Greeting and happy new year to all.
>> I am trying to sandbox a java application using selinux sandbox.
>> System details: Redhat 6 | x86_64 | no x server install | jdk7 from
>> oracle tar.gz version | cgred and cgconfig are stop
>> The cmd (run as root)
>> sandbox /root/jdk/bin/java -version
>> above cmd failed with
>> /root/jdk/bin/java: error while loading shared libraries:
>> libjli.so: cannot open shared object file: No such file or directory
>>
>> Digging, revealed that "libjli.so" is RPATH shared library. so i
>> thought
>> ok since sandbox is copying my bin/java to /tmp/sandbox_random
>> therefore
>> a hardcode path will not be found.
>> Then i change the RPATH using "chrpath" utility and changed it to a
>> hardcode value
>> But still it showed the same error.
>>
>> Then i used the -M -i option of sandbox and ran following command (i
>> included all the .so file it complaint about):
>> sandbox -M -i /root/jdk/lib/amd64/jli/libjli.so
>> -i /root/jdk/jre/lib/amd64/libjava.so -i
>> /root/jdk/jre/lib/amd64/jvm.cfg
>> -i /root/jdk/jre/lib/amd64/server/libjvm.so -i
>> /root/jdk/jre/lib/amd64/libverify.so
>> -i /root/jdk/jre/lib/amd64/libzip.so /root/jdk/bin/java -version
>>
>> Following command resulted in this error:
>> Java HotSpot(TM) 64-Bit Server VM warning: INFO: os::commit_memory
>> (0x00007fb039000000, 2555904, 1) failed; error='Permission
>> denied' (errno=13)
>> #
>> # There is insufficient memory for the Java Runtime Environment to
>> continue.
>> # Native memory allocation (malloc) failed to allocate 2555904 bytes
>> for
>> committing reserved memory.
>> # An error report file with more information is saved as:
>> # /root/hs_err_pid1270.log
>>
>> Now i used the strace to see what happened and strace printed(small
>> section)
>> clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|
>> SIGCHLD, child_tidptr=0x7fb15b6359d0) = 8268
>> close(4) = 0
>> read(3, "", 1048576) = 0
>> close(3) = 0
>> wait4(8268, Java HotSpot(TM) 64-Bit Server VM warning: INFO:
>> os::commit_memory(0x00007f4579000000, 2555904, 1) failed;
>> error='Permission denied' (errno=13)
>>
>> I have enough space for sure
>>
>> Can you guys please indicate what might be wrong ?
>>
>>
>> On Sun, Dec 28, 2014 at 9:54 PM, William Muriithi <
>> william.muriithi at gmail.com> wrote:
>> Gupta,
>>
>> You should share your selinux logs. They are under /var/log/audit
>> directory. Trigger the problem again and share the last couple of
>> hundred lines.
>>
>> Before that though, find the directory openjdk installed and install
>> sun
>> java there. Don't think using root home directory is a good idea and
>> selinux may be whining because of that. Or just install
>> in /usr/local/bin
>>
>> William
>>
>>
>> Hello all,
>> Greeting and happy new year to all.
>> I am trying to sandbox a java application using selinux sandbox.
>> System details: Redhat 6 | x86_64 | no x server install | jdk7 from
>> oracle tar.gz version | cgred and cgconfig are stop
>> The cmd (run as root)
>> sandbox /root/jdk/bin/java -version
>> above cmd failed with
>> /root/jdk/bin/java: error while loading shared libraries:
>> libjli.so: cannot open shared object file: No such file or directory
>>
>> Digging, revealed that "libjli.so" is RPATH shared library. so i
>> thought
>> ok since sandbox is copying my bin/java to /tmp/sandbox_random
>> therefore
>> a hardcode path will not be found.
>> Then i change the RPATH using "chrpath" utility and changed it to a
>> hardcode value
>> But still it showed the same error.
>>
>> Then i used the -M -i option of sandbox and ran following command (i
>> included all the .so file it complaint about):
>> sandbox -M -i /root/jdk/lib/amd64/jli/libjli.so
>> -i /root/jdk/jre/lib/amd64/libjava.so -i
>> /root/jdk/jre/lib/amd64/jvm.cfg
>> -i /root/jdk/jre/lib/amd64/server/libjvm.so -i
>> /root/jdk/jre/lib/amd64/libverify.so
>> -i /root/jdk/jre/lib/amd64/libzip.so /root/jdk/bin/java -version
>>
>> Following command resulted in this error:
>> Java HotSpot(TM) 64-Bit Server VM warning: INFO: os::commit_memory
>> (0x00007fb039000000, 2555904, 1) failed; error='Permission
>> denied' (errno=13)
>> #
>> # There is insufficient memory for the Java Runtime Environment to
>> continue.
>> # Native memory allocation (malloc) failed to allocate 2555904 bytes
>> for
>> committing reserved memory.
>> # An error report file with more information is saved as:
>> # /root/hs_err_pid1270.log
>>
>> Now i used the strace to see what happened and strace printed(small
>> section)
>> clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|
>> SIGCHLD, child_tidptr=0x7fb15b6359d0) = 8268
>> close(4) = 0
>> read(3, "", 1048576) = 0
>> close(3) = 0
>> wait4(8268, Java HotSpot(TM) 64-Bit Server VM warning: INFO:
>> os::commit_memory(0x00007f4579000000, 2555904, 1) failed;
>> error='Permission denied' (errno=13)
>>
>> I have enough space for sure
>>
>> Can you guys please indicate what might be wrong ?
>>
>>
>> --
>> selinux mailing list
>> selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>> --
>> selinux mailing list
>> selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20141231/6621dca8/attachment.html>
More information about the selinux
mailing list