Solved

Problem running "selinux sandbox" with java

Posted on 2014-12-28
3
197 Views
Last Modified: 2015-01-01
I am trying to sandbox a java application using selinux sandbox.
System details: Redhat 6 | x86_64 | no x server install | jdk7 from oracle tar.gz version | cgred and cgconfig are stop
The cmd (run as root)
         sandbox /root/jdk/bin/java -version
above cmd failed with
         /root/jdk/bin/java: error while loading shared libraries: libjli.so: cannot open shared object file: No such file or directory

Digging, revealed that "libjli.so" is RPATH shared library. so i thought ok since sandbox is copying my bin/java to /tmp/sandbox_random therefore a hardcode path will not be found.
Then i change the RPATH using "chrpath" utility and changed it to a hardcode value
But still it showed the same error.

Then i used the -M -i option of sandbox and ran following command (i included all the .so file it complaint about):
      sandbox -M -i /root/jdk/lib/amd64/jli/libjli.so -i /root/jdk/jre/lib/amd64/libjava.so -i /root/jdk/jre/lib/amd64/jvm.cfg -i /root/jdk/jre/lib/amd64/server/libjvm.so -i    /root/jdk/jre/lib/amd64/libverify.so -i /root/jdk/jre/lib/amd64/libzip.so /root/jdk/bin/java  -version

Following command resulted in this error:
Java HotSpot(TM) 64-Bit Server VM warning: INFO: os::commit_memory(0x00007fb039000000, 2555904, 1) failed; error='Permission denied' (errno=13)
#
# There is insufficient memory for the Java Runtime Environment to continue.
# Native memory allocation (malloc) failed to allocate 2555904 bytes for committing reserved memory.
# An error report file with more information is saved as:
# /root/hs_err_pid1270.log

Now i used the strace to see what happened and strace printed(small section)
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7fb15b6359d0) = 8268
close(4)                                = 0
read(3, "", 1048576)                    = 0
close(3)                                = 0
wait4(8268, Java HotSpot(TM) 64-Bit Server VM warning: INFO: os::commit_memory(0x00007f4579000000, 2555904, 1) failed; error='Permission denied' (errno=13)

I have enough space for sure

Can you guys please indicate what might be wrong ?
0
Comment
Question by:bhuvan gupta
  • 2
3 Comments
 
LVL 61

Accepted Solution

by:
gheist earned 500 total points
ID: 40521460
You can use default openjdk 1.6/1.7/1.8 and have it somewhat sandboxed.
Or install oracle RPM package
Dont use strace, use audit2why from policycoreutils-python, it will tell just selinux violations.
0
 

Author Comment

by:bhuvan gupta
ID: 40527144
The issue is Resolved. It turn out to be that the labeling of the file related to java(both openjdk and oracle java) was not correct in my redhat 6 system.
When i upgraded from redhat 6 to redhat 7 it started working all fine i.e
sandbox java -version worked perfectly with no problems.

In my redhat 7 system the .so and other java related file are labeled as one of the following:
system_u:object_r:textrel_shlib_t:s0
system_u:object_r:lib_t:s0

in my earlier machine i.e redhat 6 all file were marked as something differently and hence i was getting the issue.
0
 
LVL 61

Expert Comment

by:gheist
ID: 40527309
You can always re-label selinux contexts, or at least keep restorecon daemon running to do most part of that on live system

btw on RHEL6 and all 3 openjdk versions labeling is correct (2nd line in your post)
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Along with being a a promotional video for my three-day Annielytics Dashboard Seminor, this Micro Tutorial is an intro to Google Analytics API data.
This Micro Tutorial demonstrates using Microsoft Excel pivot tables, how to reverse engineer competitors' marketing strategies through backlinks.

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now