Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Problem running "selinux sandbox" with java

Posted on 2014-12-28
3
Medium Priority
?
238 Views
Last Modified: 2015-01-01
I am trying to sandbox a java application using selinux sandbox.
System details: Redhat 6 | x86_64 | no x server install | jdk7 from oracle tar.gz version | cgred and cgconfig are stop
The cmd (run as root)
         sandbox /root/jdk/bin/java -version
above cmd failed with
         /root/jdk/bin/java: error while loading shared libraries: libjli.so: cannot open shared object file: No such file or directory

Digging, revealed that "libjli.so" is RPATH shared library. so i thought ok since sandbox is copying my bin/java to /tmp/sandbox_random therefore a hardcode path will not be found.
Then i change the RPATH using "chrpath" utility and changed it to a hardcode value
But still it showed the same error.

Then i used the -M -i option of sandbox and ran following command (i included all the .so file it complaint about):
      sandbox -M -i /root/jdk/lib/amd64/jli/libjli.so -i /root/jdk/jre/lib/amd64/libjava.so -i /root/jdk/jre/lib/amd64/jvm.cfg -i /root/jdk/jre/lib/amd64/server/libjvm.so -i    /root/jdk/jre/lib/amd64/libverify.so -i /root/jdk/jre/lib/amd64/libzip.so /root/jdk/bin/java  -version

Following command resulted in this error:
Java HotSpot(TM) 64-Bit Server VM warning: INFO: os::commit_memory(0x00007fb039000000, 2555904, 1) failed; error='Permission denied' (errno=13)
#
# There is insufficient memory for the Java Runtime Environment to continue.
# Native memory allocation (malloc) failed to allocate 2555904 bytes for committing reserved memory.
# An error report file with more information is saved as:
# /root/hs_err_pid1270.log

Now i used the strace to see what happened and strace printed(small section)
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7fb15b6359d0) = 8268
close(4)                                = 0
read(3, "", 1048576)                    = 0
close(3)                                = 0
wait4(8268, Java HotSpot(TM) 64-Bit Server VM warning: INFO: os::commit_memory(0x00007f4579000000, 2555904, 1) failed; error='Permission denied' (errno=13)

I have enough space for sure

Can you guys please indicate what might be wrong ?
0
Comment
Question by:bhuvan gupta
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 62

Accepted Solution

by:
gheist earned 1500 total points
ID: 40521460
You can use default openjdk 1.6/1.7/1.8 and have it somewhat sandboxed.
Or install oracle RPM package
Dont use strace, use audit2why from policycoreutils-python, it will tell just selinux violations.
0
 

Author Comment

by:bhuvan gupta
ID: 40527144
The issue is Resolved. It turn out to be that the labeling of the file related to java(both openjdk and oracle java) was not correct in my redhat 6 system.
When i upgraded from redhat 6 to redhat 7 it started working all fine i.e
sandbox java -version worked perfectly with no problems.

In my redhat 7 system the .so and other java related file are labeled as one of the following:
system_u:object_r:textrel_shlib_t:s0
system_u:object_r:lib_t:s0

in my earlier machine i.e redhat 6 all file were marked as something differently and hence i was getting the issue.
0
 
LVL 62

Expert Comment

by:gheist
ID: 40527309
You can always re-label selinux contexts, or at least keep restorecon daemon running to do most part of that on live system

btw on RHEL6 and all 3 openjdk versions labeling is correct (2nd line in your post)
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Fine Tune your automatic Updates for Ubuntu / Debian
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question