Re: Problem running "selinux sandbox" with java

[Daniel J Walsh <dwalsh@redhat.com>]

[-- Attachment #1: Type: text/plain, Size: 2738 bytes --]

Take a look at the AVC's.  I think you are probably getting denied
execmem/execstack or something like that.

Does it work in permissive mode?

On 12/28/2014 09:04 AM, Bhuvan Gupta wrote:
> Hello all, 
> Greeting and happy new year to all.
> I am trying to sandbox a java application using selinux sandbox.
> System details: Redhat 6 | x86_64 | no x server install | jdk7 from
> oracle tar.gz version | cgred and cgconfig are stop 
> The cmd (run as root)
> /         sandbox /root/jdk/bin/java -version/
> above cmd failed with 
> /         /root/jdk/bin/java: error while loading shared libraries:
> libjli.so: cannot open shared object file: No such file or directory/
>
> Digging, revealed that "libjli.so" is RPATH shared library. so i
> thought ok since sandbox is copying my bin/java to /tmp/sandbox_random
> therefore a hardcode path will not be found.
> Then i change the RPATH using "chrpath" utility and changed it to a
> hardcode value
> But still it showed the same error.
>
> Then i used the -M -i option of sandbox and ran following command (i
> included all the .so file it complaint about):
> /      sandbox -M -i /root/jdk/lib/amd64/jli/libjli.so -i
> /root/jdk/jre/lib/amd64/libjava.so -i /root/jdk/jre/lib/amd64/jvm.cfg
> -i /root/jdk/jre/lib/amd64/server/libjvm.so -i  
>  /root/jdk/jre/lib/amd64/libverify.so -i
> /root/jdk/jre/lib/amd64/libzip.so /root/jdk/bin/java  -version
> /
>
> Following command resulted in this error:
> /Java HotSpot(TM) 64-Bit Server VM warning: INFO:
> os::commit_memory(0x00007fb039000000, 2555904, 1) failed;
> error='Permission denied' (errno=13)/
> /#/
> /# There is insufficient memory for the Java Runtime Environment to
> continue./
> /# Native memory allocation (malloc) failed to allocate 2555904 bytes
> for committing reserved memory./
> /# An error report file with more information is saved as:/
> /# /root/hs_err_pid1270.log/
>
> Now i used the strace to see what happened and strace printed(small
> section) 
> /clone(child_stack=0,
> flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD,
> child_tidptr=0x7fb15b6359d0) = 8268/
> /close(4)                                = 0/
> /read(3, "", 1048576)                    = 0/
> /close(3)                                = 0/
> /wait4(8268, Java HotSpot(TM) 64-Bit Server VM warning: INFO:
> os::commit_memory(0x00007f4579000000, 2555904, 1) failed;
> error='Permission denied' (errno=13)/
>
> I have enough space for sure
>
> */Can you guys please indicate what might be wrong ?/*
>
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.


[-- Attachment #2: Type: text/html, Size: 5359 bytes --]