Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Problem running "selinux sandbox" with java

Posted on 2014-12-28
3
203 Views
Last Modified: 2015-01-01
I am trying to sandbox a java application using selinux sandbox.
System details: Redhat 6 | x86_64 | no x server install | jdk7 from oracle tar.gz version | cgred and cgconfig are stop
The cmd (run as root)
         sandbox /root/jdk/bin/java -version
above cmd failed with
         /root/jdk/bin/java: error while loading shared libraries: libjli.so: cannot open shared object file: No such file or directory

Digging, revealed that "libjli.so" is RPATH shared library. so i thought ok since sandbox is copying my bin/java to /tmp/sandbox_random therefore a hardcode path will not be found.
Then i change the RPATH using "chrpath" utility and changed it to a hardcode value
But still it showed the same error.

Then i used the -M -i option of sandbox and ran following command (i included all the .so file it complaint about):
      sandbox -M -i /root/jdk/lib/amd64/jli/libjli.so -i /root/jdk/jre/lib/amd64/libjava.so -i /root/jdk/jre/lib/amd64/jvm.cfg -i /root/jdk/jre/lib/amd64/server/libjvm.so -i    /root/jdk/jre/lib/amd64/libverify.so -i /root/jdk/jre/lib/amd64/libzip.so /root/jdk/bin/java  -version

Following command resulted in this error:
Java HotSpot(TM) 64-Bit Server VM warning: INFO: os::commit_memory(0x00007fb039000000, 2555904, 1) failed; error='Permission denied' (errno=13)
#
# There is insufficient memory for the Java Runtime Environment to continue.
# Native memory allocation (malloc) failed to allocate 2555904 bytes for committing reserved memory.
# An error report file with more information is saved as:
# /root/hs_err_pid1270.log

Now i used the strace to see what happened and strace printed(small section)
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7fb15b6359d0) = 8268
close(4)                                = 0
read(3, "", 1048576)                    = 0
close(3)                                = 0
wait4(8268, Java HotSpot(TM) 64-Bit Server VM warning: INFO: os::commit_memory(0x00007f4579000000, 2555904, 1) failed; error='Permission denied' (errno=13)

I have enough space for sure

Can you guys please indicate what might be wrong ?
0
Comment
Question by:bhuvan gupta
  • 2
3 Comments
 
LVL 62

Accepted Solution

by:
gheist earned 500 total points
ID: 40521460
You can use default openjdk 1.6/1.7/1.8 and have it somewhat sandboxed.
Or install oracle RPM package
Dont use strace, use audit2why from policycoreutils-python, it will tell just selinux violations.
0
 

Author Comment

by:bhuvan gupta
ID: 40527144
The issue is Resolved. It turn out to be that the labeling of the file related to java(both openjdk and oracle java) was not correct in my redhat 6 system.
When i upgraded from redhat 6 to redhat 7 it started working all fine i.e
sandbox java -version worked perfectly with no problems.

In my redhat 7 system the .so and other java related file are labeled as one of the following:
system_u:object_r:textrel_shlib_t:s0
system_u:object_r:lib_t:s0

in my earlier machine i.e redhat 6 all file were marked as something differently and hence i was getting the issue.
0
 
LVL 62

Expert Comment

by:gheist
ID: 40527309
You can always re-label selinux contexts, or at least keep restorecon daemon running to do most part of that on live system

btw on RHEL6 and all 3 openjdk versions labeling is correct (2nd line in your post)
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question