Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 266
  • Last Modified:

Problem running "selinux sandbox" with java

I am trying to sandbox a java application using selinux sandbox.
System details: Redhat 6 | x86_64 | no x server install | jdk7 from oracle tar.gz version | cgred and cgconfig are stop
The cmd (run as root)
         sandbox /root/jdk/bin/java -version
above cmd failed with
         /root/jdk/bin/java: error while loading shared libraries: libjli.so: cannot open shared object file: No such file or directory

Digging, revealed that "libjli.so" is RPATH shared library. so i thought ok since sandbox is copying my bin/java to /tmp/sandbox_random therefore a hardcode path will not be found.
Then i change the RPATH using "chrpath" utility and changed it to a hardcode value
But still it showed the same error.

Then i used the -M -i option of sandbox and ran following command (i included all the .so file it complaint about):
      sandbox -M -i /root/jdk/lib/amd64/jli/libjli.so -i /root/jdk/jre/lib/amd64/libjava.so -i /root/jdk/jre/lib/amd64/jvm.cfg -i /root/jdk/jre/lib/amd64/server/libjvm.so -i    /root/jdk/jre/lib/amd64/libverify.so -i /root/jdk/jre/lib/amd64/libzip.so /root/jdk/bin/java  -version

Following command resulted in this error:
Java HotSpot(TM) 64-Bit Server VM warning: INFO: os::commit_memory(0x00007fb039000000, 2555904, 1) failed; error='Permission denied' (errno=13)
#
# There is insufficient memory for the Java Runtime Environment to continue.
# Native memory allocation (malloc) failed to allocate 2555904 bytes for committing reserved memory.
# An error report file with more information is saved as:
# /root/hs_err_pid1270.log

Now i used the strace to see what happened and strace printed(small section)
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7fb15b6359d0) = 8268
close(4)                                = 0
read(3, "", 1048576)                    = 0
close(3)                                = 0
wait4(8268, Java HotSpot(TM) 64-Bit Server VM warning: INFO: os::commit_memory(0x00007f4579000000, 2555904, 1) failed; error='Permission denied' (errno=13)

I have enough space for sure

Can you guys please indicate what might be wrong ?
0
bhuvan gupta
Asked:
bhuvan gupta
  • 2
1 Solution
 
gheistCommented:
You can use default openjdk 1.6/1.7/1.8 and have it somewhat sandboxed.
Or install oracle RPM package
Dont use strace, use audit2why from policycoreutils-python, it will tell just selinux violations.
0
 
bhuvan guptastudentAuthor Commented:
The issue is Resolved. It turn out to be that the labeling of the file related to java(both openjdk and oracle java) was not correct in my redhat 6 system.
When i upgraded from redhat 6 to redhat 7 it started working all fine i.e
sandbox java -version worked perfectly with no problems.

In my redhat 7 system the .so and other java related file are labeled as one of the following:
system_u:object_r:textrel_shlib_t:s0
system_u:object_r:lib_t:s0

in my earlier machine i.e redhat 6 all file were marked as something differently and hence i was getting the issue.
0
 
gheistCommented:
You can always re-label selinux contexts, or at least keep restorecon daemon running to do most part of that on live system

btw on RHEL6 and all 3 openjdk versions labeling is correct (2nd line in your post)
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now