* Problem running "selinux sandbox" with java
@ 2014-12-28 14:04 Bhuvan Gupta
2015-01-03 12:46 ` Daniel J Walsh
0 siblings, 1 reply; 2+ messages in thread
From: Bhuvan Gupta @ 2014-12-28 14:04 UTC (permalink / raw)
To: selinux
[-- Attachment #1: Type: text/plain, Size: 2196 bytes --]
Hello all,
Greeting and happy new year to all.
I am trying to sandbox a java application using selinux sandbox.
System details: Redhat 6 | x86_64 | no x server install | jdk7 from oracle
tar.gz version | cgred and cgconfig are stop
The cmd (run as root)
* sandbox /root/jdk/bin/java -version*
above cmd failed with
* /root/jdk/bin/java: error while loading shared libraries:
libjli.so: cannot open shared object file: No such file or directory*
Digging, revealed that "libjli.so" is RPATH shared library. so i thought ok
since sandbox is copying my bin/java to /tmp/sandbox_random therefore a
hardcode path will not be found.
Then i change the RPATH using "chrpath" utility and changed it to a
hardcode value
But still it showed the same error.
Then i used the -M -i option of sandbox and ran following command (i
included all the .so file it complaint about):
* sandbox -M -i /root/jdk/lib/amd64/jli/libjli.so -i
/root/jdk/jre/lib/amd64/libjava.so -i /root/jdk/jre/lib/amd64/jvm.cfg -i
/root/jdk/jre/lib/amd64/server/libjvm.so -i
/root/jdk/jre/lib/amd64/libverify.so -i /root/jdk/jre/lib/amd64/libzip.so
/root/jdk/bin/java -version*
Following command resulted in this error:
*Java HotSpot(TM) 64-Bit Server VM warning: INFO:
os::commit_memory(0x00007fb039000000, 2555904, 1) failed; error='Permission
denied' (errno=13)*
*#*
*# There is insufficient memory for the Java Runtime Environment to
continue.*
*# Native memory allocation (malloc) failed to allocate 2555904 bytes for
committing reserved memory.*
*# An error report file with more information is saved as:*
*# /root/hs_err_pid1270.log*
Now i used the strace to see what happened and strace printed(small
section)
*clone(child_stack=0,
flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD,
child_tidptr=0x7fb15b6359d0) = 8268*
*close(4) = 0*
*read(3, "", 1048576) = 0*
*close(3) = 0*
*wait4(8268, Java HotSpot(TM) 64-Bit Server VM warning: INFO:
os::commit_memory(0x00007f4579000000, 2555904, 1) failed; error='Permission
denied' (errno=13)*
I have enough space for sure
*Can you guys please indicate what might be wrong ?*
[-- Attachment #2: Type: text/html, Size: 3387 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Problem running "selinux sandbox" with java
2014-12-28 14:04 Problem running "selinux sandbox" with java Bhuvan Gupta
@ 2015-01-03 12:46 ` Daniel J Walsh
0 siblings, 0 replies; 2+ messages in thread
From: Daniel J Walsh @ 2015-01-03 12:46 UTC (permalink / raw)
To: Bhuvan Gupta, selinux
[-- Attachment #1: Type: text/plain, Size: 2738 bytes --]
Take a look at the AVC's. I think you are probably getting denied
execmem/execstack or something like that.
Does it work in permissive mode?
On 12/28/2014 09:04 AM, Bhuvan Gupta wrote:
> Hello all,
> Greeting and happy new year to all.
> I am trying to sandbox a java application using selinux sandbox.
> System details: Redhat 6 | x86_64 | no x server install | jdk7 from
> oracle tar.gz version | cgred and cgconfig are stop
> The cmd (run as root)
> / sandbox /root/jdk/bin/java -version/
> above cmd failed with
> / /root/jdk/bin/java: error while loading shared libraries:
> libjli.so: cannot open shared object file: No such file or directory/
>
> Digging, revealed that "libjli.so" is RPATH shared library. so i
> thought ok since sandbox is copying my bin/java to /tmp/sandbox_random
> therefore a hardcode path will not be found.
> Then i change the RPATH using "chrpath" utility and changed it to a
> hardcode value
> But still it showed the same error.
>
> Then i used the -M -i option of sandbox and ran following command (i
> included all the .so file it complaint about):
> / sandbox -M -i /root/jdk/lib/amd64/jli/libjli.so -i
> /root/jdk/jre/lib/amd64/libjava.so -i /root/jdk/jre/lib/amd64/jvm.cfg
> -i /root/jdk/jre/lib/amd64/server/libjvm.so -i
> /root/jdk/jre/lib/amd64/libverify.so -i
> /root/jdk/jre/lib/amd64/libzip.so /root/jdk/bin/java -version
> /
>
> Following command resulted in this error:
> /Java HotSpot(TM) 64-Bit Server VM warning: INFO:
> os::commit_memory(0x00007fb039000000, 2555904, 1) failed;
> error='Permission denied' (errno=13)/
> /#/
> /# There is insufficient memory for the Java Runtime Environment to
> continue./
> /# Native memory allocation (malloc) failed to allocate 2555904 bytes
> for committing reserved memory./
> /# An error report file with more information is saved as:/
> /# /root/hs_err_pid1270.log/
>
> Now i used the strace to see what happened and strace printed(small
> section)
> /clone(child_stack=0,
> flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD,
> child_tidptr=0x7fb15b6359d0) = 8268/
> /close(4) = 0/
> /read(3, "", 1048576) = 0/
> /close(3) = 0/
> /wait4(8268, Java HotSpot(TM) 64-Bit Server VM warning: INFO:
> os::commit_memory(0x00007f4579000000, 2555904, 1) failed;
> error='Permission denied' (errno=13)/
>
> I have enough space for sure
>
> */Can you guys please indicate what might be wrong ?/*
>
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
[-- Attachment #2: Type: text/html, Size: 5359 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2015-01-03 12:46 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-12-28 14:04 Problem running "selinux sandbox" with java Bhuvan Gupta
2015-01-03 12:46 ` Daniel J Walsh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.