Solved

Problem running "selinux sandbox" with java

Posted on 2014-12-28
3
195 Views
Last Modified: 2015-01-01
I am trying to sandbox a java application using selinux sandbox.
System details: Redhat 6 | x86_64 | no x server install | jdk7 from oracle tar.gz version | cgred and cgconfig are stop
The cmd (run as root)
         sandbox /root/jdk/bin/java -version
above cmd failed with
         /root/jdk/bin/java: error while loading shared libraries: libjli.so: cannot open shared object file: No such file or directory

Digging, revealed that "libjli.so" is RPATH shared library. so i thought ok since sandbox is copying my bin/java to /tmp/sandbox_random therefore a hardcode path will not be found.
Then i change the RPATH using "chrpath" utility and changed it to a hardcode value
But still it showed the same error.

Then i used the -M -i option of sandbox and ran following command (i included all the .so file it complaint about):
      sandbox -M -i /root/jdk/lib/amd64/jli/libjli.so -i /root/jdk/jre/lib/amd64/libjava.so -i /root/jdk/jre/lib/amd64/jvm.cfg -i /root/jdk/jre/lib/amd64/server/libjvm.so -i    /root/jdk/jre/lib/amd64/libverify.so -i /root/jdk/jre/lib/amd64/libzip.so /root/jdk/bin/java  -version

Following command resulted in this error:
Java HotSpot(TM) 64-Bit Server VM warning: INFO: os::commit_memory(0x00007fb039000000, 2555904, 1) failed; error='Permission denied' (errno=13)
#
# There is insufficient memory for the Java Runtime Environment to continue.
# Native memory allocation (malloc) failed to allocate 2555904 bytes for committing reserved memory.
# An error report file with more information is saved as:
# /root/hs_err_pid1270.log

Now i used the strace to see what happened and strace printed(small section)
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7fb15b6359d0) = 8268
close(4)                                = 0
read(3, "", 1048576)                    = 0
close(3)                                = 0
wait4(8268, Java HotSpot(TM) 64-Bit Server VM warning: INFO: os::commit_memory(0x00007f4579000000, 2555904, 1) failed; error='Permission denied' (errno=13)

I have enough space for sure

Can you guys please indicate what might be wrong ?
0
Comment
Question by:bhuvan gupta
  • 2
3 Comments
 
LVL 61

Accepted Solution

by:
gheist earned 500 total points
ID: 40521460
You can use default openjdk 1.6/1.7/1.8 and have it somewhat sandboxed.
Or install oracle RPM package
Dont use strace, use audit2why from policycoreutils-python, it will tell just selinux violations.
0
 

Author Comment

by:bhuvan gupta
ID: 40527144
The issue is Resolved. It turn out to be that the labeling of the file related to java(both openjdk and oracle java) was not correct in my redhat 6 system.
When i upgraded from redhat 6 to redhat 7 it started working all fine i.e
sandbox java -version worked perfectly with no problems.

In my redhat 7 system the .so and other java related file are labeled as one of the following:
system_u:object_r:textrel_shlib_t:s0
system_u:object_r:lib_t:s0

in my earlier machine i.e redhat 6 all file were marked as something differently and hence i was getting the issue.
0
 
LVL 61

Expert Comment

by:gheist
ID: 40527309
You can always re-label selinux contexts, or at least keep restorecon daemon running to do most part of that on live system

btw on RHEL6 and all 3 openjdk versions labeling is correct (2nd line in your post)
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now