Hello all, Greeting and happy new year to all. I am trying to sandbox a java application using selinux sandbox. System details: Redhat 6 | x86_64 | no x server install | jdk7 from oracle tar.gz version | cgred and cgconfig are stop The cmd (run as root) * sandbox /root/jdk/bin/java -version* above cmd failed with * /root/jdk/bin/java: error while loading shared libraries: libjli.so: cannot open shared object file: No such file or directory*
Digging, revealed that "libjli.so" is RPATH shared library. so i thought ok since sandbox is copying my bin/java to /tmp/sandbox_random therefore a hardcode path will not be found. Then i change the RPATH using "chrpath" utility and changed it to a hardcode value But still it showed the same error.
Then i used the -M -i option of sandbox and ran following command (i included all the .so file it complaint about):
* sandbox -M -i /root/jdk/lib/amd64/jli/libjli.so -i /root/jdk/jre/lib/amd64/libjava.so -i /root/jdk/jre/lib/amd64/jvm.cfg -i /root/jdk/jre/lib/amd64/server/libjvm.so -i /root/jdk/jre/lib/amd64/libverify.so -i /root/jdk/jre/lib/amd64/libzip.so /root/jdk/bin/java -version*
Following command resulted in this error: *Java HotSpot(TM) 64-Bit Server VM warning: INFO: os::commit_memory(0x00007fb039000000, 2555904, 1) failed; error='Permission denied' (errno=13)* *#* *# There is insufficient memory for the Java Runtime Environment to continue.* *# Native memory allocation (malloc) failed to allocate 2555904 bytes for committing reserved memory.* *# An error report file with more information is saved as:* *# /root/hs_err_pid1270.log*
Now i used the strace to see what happened and strace printed(small section) *clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7fb15b6359d0) = 8268* *close(4) = 0* *read(3, "", 1048576) = 0* *close(3) = 0* *wait4(8268, Java HotSpot(TM) 64-Bit Server VM warning: INFO: os::commit_memory(0x00007f4579000000, 2555904, 1) failed; error='Permission denied' (errno=13)*
I have enough space for sure
*Can you guys please indicate what might be wrong ?*
Gupta,
You should share your selinux logs. They are under /var/log/audit directory. Trigger the problem again and share the last couple of hundred lines.
Before that though, find the directory openjdk installed and install sun java there. Don't think using root home directory is a good idea and selinux may be whining because of that. Or just install in /usr/local/bin
William
Hello all, Greeting and happy new year to all. I am trying to sandbox a java application using selinux sandbox. System details: Redhat 6 | x86_64 | no x server install | jdk7 from oracle tar.gz version | cgred and cgconfig are stop The cmd (run as root) sandbox /root/jdk/bin/java -version above cmd failed with /root/jdk/bin/java: error while loading shared libraries: libjli.so: cannot open shared object file: No such file or directory
Digging, revealed that "libjli.so" is RPATH shared library. so i thought ok since sandbox is copying my bin/java to /tmp/sandbox_random therefore a hardcode path will not be found. Then i change the RPATH using "chrpath" utility and changed it to a hardcode value But still it showed the same error.
Then i used the -M -i option of sandbox and ran following command (i included all the .so file it complaint about): sandbox -M -i /root/jdk/lib/amd64/jli/libjli.so -i /root/jdk/jre/lib/amd64/libjava.so -i /root/jdk/jre/lib/amd64/jvm.cfg -i /root/jdk/jre/lib/amd64/server/libjvm.so -i /root/jdk/jre/lib/amd64/libverify.so -i /root/jdk/jre/lib/amd64/libzip.so /root/jdk/bin/java -version
Following command resulted in this error: Java HotSpot(TM) 64-Bit Server VM warning: INFO: os::commit_memory(0x00007fb039000000, 2555904, 1) failed; error='Permission denied' (errno=13) # # There is insufficient memory for the Java Runtime Environment to continue. # Native memory allocation (malloc) failed to allocate 2555904 bytes for committing reserved memory. # An error report file with more information is saved as: # /root/hs_err_pid1270.log
Now i used the strace to see what happened and strace printed(small section) clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7fb15b6359d0) = 8268 close(4) = 0 read(3, "", 1048576) = 0 close(3) = 0 wait4(8268, Java HotSpot(TM) 64-Bit Server VM warning: INFO: os::commit_memory(0x00007f4579000000, 2555904, 1) failed; error='Permission denied' (errno=13)
I have enough space for sure
Can you guys please indicate what might be wrong ?
Hello William, My current selinux settings are: SELINUX=enforcing SELINUXTYPE=targeted
[1] cleared all the /var/log/audit/* and ran the same command which give memory error and all logs were generated i.e empty directory.
[2] install openjdk using "yum install java-1.7.0-openjdk-devel" and ran the same command but using the openjdk java and it throw the same memory error *OpenJDK 64-Bit Server VM warning: INFO: os::commit_memory(0x00007fdabd000000, 2555904, 1) failed; error='Permission denied' (errno=13)* *#* *# There is insufficient memory for the Java Runtime Environment to continue.* *# Native memory allocation (malloc) failed to allocate 2555904 bytes for committing reserved memory.*
On Sun, Dec 28, 2014 at 9:54 PM, William Muriithi < william.muriithi@gmail.com> wrote:
Gupta,
You should share your selinux logs. They are under /var/log/audit directory. Trigger the problem again and share the last couple of hundred lines.
Before that though, find the directory openjdk installed and install sun java there. Don't think using root home directory is a good idea and selinux may be whining because of that. Or just install in /usr/local/bin
William
Hello all, Greeting and happy new year to all. I am trying to sandbox a java application using selinux sandbox. System details: Redhat 6 | x86_64 | no x server install | jdk7 from oracle tar.gz version | cgred and cgconfig are stop The cmd (run as root) sandbox /root/jdk/bin/java -version above cmd failed with /root/jdk/bin/java: error while loading shared libraries: libjli.so: cannot open shared object file: No such file or directory
Digging, revealed that "libjli.so" is RPATH shared library. so i thought ok since sandbox is copying my bin/java to /tmp/sandbox_random therefore a hardcode path will not be found. Then i change the RPATH using "chrpath" utility and changed it to a hardcode value But still it showed the same error.
Then i used the -M -i option of sandbox and ran following command (i included all the .so file it complaint about): sandbox -M -i /root/jdk/lib/amd64/jli/libjli.so -i /root/jdk/jre/lib/amd64/libjava.so -i /root/jdk/jre/lib/amd64/jvm.cfg -i /root/jdk/jre/lib/amd64/server/libjvm.so -i /root/jdk/jre/lib/amd64/libverify.so -i /root/jdk/jre/lib/amd64/libzip.so /root/jdk/bin/java -version
Following command resulted in this error: Java HotSpot(TM) 64-Bit Server VM warning: INFO: os::commit_memory(0x00007fb039000000, 2555904, 1) failed; error='Permission denied' (errno=13) # # There is insufficient memory for the Java Runtime Environment to continue. # Native memory allocation (malloc) failed to allocate 2555904 bytes for committing reserved memory. # An error report file with more information is saved as: # /root/hs_err_pid1270.log
Now i used the strace to see what happened and strace printed(small section) clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7fb15b6359d0) = 8268 close(4) = 0 read(3, "", 1048576) = 0 close(3) = 0 wait4(8268, Java HotSpot(TM) 64-Bit Server VM warning: INFO: os::commit_memory(0x00007f4579000000, 2555904, 1) failed; error='Permission denied' (errno=13)
I have enough space for sure
Can you guys please indicate what might be wrong ?
On Sun, Dec 28, 2014 at 9:54 PM, William Muriithi < william.muriithi@gmail.com> wrote:
Gupta,
You should share your selinux logs. They are under /var/log/audit directory. Trigger the problem again and share the last couple of hundred lines.
Before that though, find the directory openjdk installed and install sun java there. Don't think using root home directory is a good idea and selinux may be whining because of that. Or just install in /usr/local/bin
William
Hello all, Greeting and happy new year to all. I am trying to sandbox a java application using selinux sandbox. System details: Redhat 6 | x86_64 | no x server install | jdk7 from oracle tar.gz version | cgred and cgconfig are stop The cmd (run as root) sandbox /root/jdk/bin/java -version above cmd failed with /root/jdk/bin/java: error while loading shared libraries: libjli.so: cannot open shared object file: No such file or directory
Digging, revealed that "libjli.so" is RPATH shared library. so i thought ok since sandbox is copying my bin/java to /tmp/sandbox_random therefore a hardcode path will not be found. Then i change the RPATH using "chrpath" utility and changed it to a hardcode value But still it showed the same error.
Then i used the -M -i option of sandbox and ran following command (i included all the .so file it complaint about): sandbox -M -i /root/jdk/lib/amd64/jli/libjli.so -i /root/jdk/jre/lib/amd64/libjava.so -i /root/jdk/jre/lib/amd64/jvm.cfg -i /root/jdk/jre/lib/amd64/server/libjvm.so -i /root/jdk/jre/lib/amd64/libverify.so -i /root/jdk/jre/lib/amd64/libzip.so /root/jdk/bin/java -version
Following command resulted in this error: Java HotSpot(TM) 64-Bit Server VM warning: INFO: os::commit_memory(0x00007fb039000000, 2555904, 1) failed; error='Permission denied' (errno=13) # # There is insufficient memory for the Java Runtime Environment to continue. # Native memory allocation (malloc) failed to allocate 2555904 bytes for committing reserved memory. # An error report file with more information is saved as: # /root/hs_err_pid1270.log
Now i used the strace to see what happened and strace printed(small section) clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7fb15b6359d0) = 8268 close(4) = 0 read(3, "", 1048576) = 0 close(3) = 0 wait4(8268, Java HotSpot(TM) 64-Bit Server VM warning: INFO: os::commit_memory(0x00007f4579000000, 2555904, 1) failed; error='Permission denied' (errno=13)
I have enough space for sure
Can you guys please indicate what might be wrong ?
sorry for the typo:
[1] cleared all the /var/log/audit/* and ran the same command which give memory error and no logs were generated i.e empty directory.
On Sun, Dec 28, 2014 at 11:07 PM, Bhuvan Gupta bhuvangu@gmail.com wrote:
Hello William, My current selinux settings are: SELINUX=enforcing SELINUXTYPE=targeted
[1] cleared all the /var/log/audit/* and ran the same command which give memory error and all logs were generated i.e empty directory.
[2] install openjdk using "yum install java-1.7.0-openjdk-devel" and ran the same command but using the openjdk java and it throw the same memory error *OpenJDK 64-Bit Server VM warning: INFO: os::commit_memory(0x00007fdabd000000, 2555904, 1) failed; error='Permission denied' (errno=13)* *#* *# There is insufficient memory for the Java Runtime Environment to continue.* *# Native memory allocation (malloc) failed to allocate 2555904 bytes for committing reserved memory.*
On Sun, Dec 28, 2014 at 9:54 PM, William Muriithi < william.muriithi@gmail.com> wrote:
Gupta,
You should share your selinux logs. They are under /var/log/audit directory. Trigger the problem again and share the last couple of hundred lines.
Before that though, find the directory openjdk installed and install sun java there. Don't think using root home directory is a good idea and selinux may be whining because of that. Or just install in /usr/local/bin
William
Hello all, Greeting and happy new year to all. I am trying to sandbox a java application using selinux sandbox. System details: Redhat 6 | x86_64 | no x server install | jdk7 from oracle tar.gz version | cgred and cgconfig are stop The cmd (run as root) sandbox /root/jdk/bin/java -version above cmd failed with /root/jdk/bin/java: error while loading shared libraries: libjli.so: cannot open shared object file: No such file or directory
Digging, revealed that "libjli.so" is RPATH shared library. so i thought ok since sandbox is copying my bin/java to /tmp/sandbox_random therefore a hardcode path will not be found. Then i change the RPATH using "chrpath" utility and changed it to a hardcode value But still it showed the same error.
Then i used the -M -i option of sandbox and ran following command (i included all the .so file it complaint about): sandbox -M -i /root/jdk/lib/amd64/jli/libjli.so -i /root/jdk/jre/lib/amd64/libjava.so -i /root/jdk/jre/lib/amd64/jvm.cfg -i /root/jdk/jre/lib/amd64/server/libjvm.so -i /root/jdk/jre/lib/amd64/libverify.so -i /root/jdk/jre/lib/amd64/libzip.so /root/jdk/bin/java -version
Following command resulted in this error: Java HotSpot(TM) 64-Bit Server VM warning: INFO: os::commit_memory(0x00007fb039000000, 2555904, 1) failed; error='Permission denied' (errno=13) # # There is insufficient memory for the Java Runtime Environment to continue. # Native memory allocation (malloc) failed to allocate 2555904 bytes for committing reserved memory. # An error report file with more information is saved as: # /root/hs_err_pid1270.log
Now i used the strace to see what happened and strace printed(small section) clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7fb15b6359d0) = 8268 close(4) = 0 read(3, "", 1048576) = 0 close(3) = 0 wait4(8268, Java HotSpot(TM) 64-Bit Server VM warning: INFO: os::commit_memory(0x00007f4579000000, 2555904, 1) failed; error='Permission denied' (errno=13)
I have enough space for sure
Can you guys please indicate what might be wrong ?
On Sun, Dec 28, 2014 at 9:54 PM, William Muriithi < william.muriithi@gmail.com> wrote:
Gupta,
You should share your selinux logs. They are under /var/log/audit directory. Trigger the problem again and share the last couple of hundred lines.
Before that though, find the directory openjdk installed and install sun java there. Don't think using root home directory is a good idea and selinux may be whining because of that. Or just install in /usr/local/bin
William
Hello all, Greeting and happy new year to all. I am trying to sandbox a java application using selinux sandbox. System details: Redhat 6 | x86_64 | no x server install | jdk7 from oracle tar.gz version | cgred and cgconfig are stop The cmd (run as root) sandbox /root/jdk/bin/java -version above cmd failed with /root/jdk/bin/java: error while loading shared libraries: libjli.so: cannot open shared object file: No such file or directory
Digging, revealed that "libjli.so" is RPATH shared library. so i thought ok since sandbox is copying my bin/java to /tmp/sandbox_random therefore a hardcode path will not be found. Then i change the RPATH using "chrpath" utility and changed it to a hardcode value But still it showed the same error.
Then i used the -M -i option of sandbox and ran following command (i included all the .so file it complaint about): sandbox -M -i /root/jdk/lib/amd64/jli/libjli.so -i /root/jdk/jre/lib/amd64/libjava.so -i /root/jdk/jre/lib/amd64/jvm.cfg -i /root/jdk/jre/lib/amd64/server/libjvm.so -i /root/jdk/jre/lib/amd64/libverify.so -i /root/jdk/jre/lib/amd64/libzip.so /root/jdk/bin/java -version
Following command resulted in this error: Java HotSpot(TM) 64-Bit Server VM warning: INFO: os::commit_memory(0x00007fb039000000, 2555904, 1) failed; error='Permission denied' (errno=13) # # There is insufficient memory for the Java Runtime Environment to continue. # Native memory allocation (malloc) failed to allocate 2555904 bytes for committing reserved memory. # An error report file with more information is saved as: # /root/hs_err_pid1270.log
Now i used the strace to see what happened and strace printed(small section) clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7fb15b6359d0) = 8268 close(4) = 0 read(3, "", 1048576) = 0 close(3) = 0 wait4(8268, Java HotSpot(TM) 64-Bit Server VM warning: INFO: os::commit_memory(0x00007f4579000000, 2555904, 1) failed; error='Permission denied' (errno=13)
I have enough space for sure
Can you guys please indicate what might be wrong ?
Also i tried * sandbox java -version*
Here java is from openjdk
It throw the same memory error.(below is the result of running the above command)
*OpenJDK 64-Bit Server VM warning: INFO: os::commit_memory(0x00007fbb74246000, 2555904, 1) failed; error='Permission denied' (errno=13)* *#* *# There is insufficient memory for the Java Runtime Environment to continue.* *# Native memory allocation (malloc) failed to allocate 2555904 bytes for committing reserved memory.* *# Can not save log file, dump to screen..* *#* *# There is insufficient memory for the Java Runtime Environment to continue.* *# Native memory allocation (malloc) failed to allocate 2555904 bytes for committing reserved memory.* *# Possible reasons:* *# The system is out of physical RAM or swap space* *# In 32 bit mode, the process size limit was hit* *# Possible solutions:* *# Reduce memory load on the system* *# Increase physical memory or swap space* *# Check if swap backing store is full* *# Use 64 bit Java on a 64 bit OS* *# Decrease Java heap size (-Xmx/-Xms)* *# Decrease number of Java threads* *# Decrease Java thread stack sizes (-Xss)* *# Set larger code cache with -XX:ReservedCodeCacheSize=* *# This output file may be truncated or incomplete.* *#* *# Out of Memory Error (os_linux.cpp:2798), pid=2248, tid=140443161286400* *#* *# JRE version: (7.0_71-b14) (build )* *# Java VM: OpenJDK 64-Bit Server VM (24.65-b04 mixed mode linux-amd64 compressed oops)* *# Derivative: IcedTea 2.5.3* *# Distribution: Built on Red Hat Enterprise Linux Server release 6.6 (Santiago) (Mon Dec 15 09:26:58 EST 2014)* *# Failed to write core dump. Core dumps have been disabled. To enable core dumping, try "ulimit -c unlimited" before starting Java again* *#*
On Sun, Dec 28, 2014 at 11:11 PM, Bhuvan Gupta bhuvangu@gmail.com wrote:
sorry for the typo:
[1] cleared all the /var/log/audit/* and ran the same command which give memory error and no logs were generated i.e empty directory.
On Sun, Dec 28, 2014 at 11:07 PM, Bhuvan Gupta bhuvangu@gmail.com wrote:
Hello William, My current selinux settings are: SELINUX=enforcing SELINUXTYPE=targeted
[1] cleared all the /var/log/audit/* and ran the same command which give memory error and all logs were generated i.e empty directory.
[2] install openjdk using "yum install java-1.7.0-openjdk-devel" and ran the same command but using the openjdk java and it throw the same memory error *OpenJDK 64-Bit Server VM warning: INFO: os::commit_memory(0x00007fdabd000000, 2555904, 1) failed; error='Permission denied' (errno=13)* *#* *# There is insufficient memory for the Java Runtime Environment to continue.* *# Native memory allocation (malloc) failed to allocate 2555904 bytes for committing reserved memory.*
On Sun, Dec 28, 2014 at 9:54 PM, William Muriithi < william.muriithi@gmail.com> wrote:
Gupta,
You should share your selinux logs. They are under /var/log/audit directory. Trigger the problem again and share the last couple of hundred lines.
Before that though, find the directory openjdk installed and install sun java there. Don't think using root home directory is a good idea and selinux may be whining because of that. Or just install in /usr/local/bin
William
Hello all, Greeting and happy new year to all. I am trying to sandbox a java application using selinux sandbox. System details: Redhat 6 | x86_64 | no x server install | jdk7 from oracle tar.gz version | cgred and cgconfig are stop The cmd (run as root) sandbox /root/jdk/bin/java -version above cmd failed with /root/jdk/bin/java: error while loading shared libraries: libjli.so: cannot open shared object file: No such file or directory
Digging, revealed that "libjli.so" is RPATH shared library. so i thought ok since sandbox is copying my bin/java to /tmp/sandbox_random therefore a hardcode path will not be found. Then i change the RPATH using "chrpath" utility and changed it to a hardcode value But still it showed the same error.
Then i used the -M -i option of sandbox and ran following command (i included all the .so file it complaint about): sandbox -M -i /root/jdk/lib/amd64/jli/libjli.so -i /root/jdk/jre/lib/amd64/libjava.so -i /root/jdk/jre/lib/amd64/jvm.cfg -i /root/jdk/jre/lib/amd64/server/libjvm.so -i /root/jdk/jre/lib/amd64/libverify.so -i /root/jdk/jre/lib/amd64/libzip.so /root/jdk/bin/java -version
Following command resulted in this error: Java HotSpot(TM) 64-Bit Server VM warning: INFO: os::commit_memory(0x00007fb039000000, 2555904, 1) failed; error='Permission denied' (errno=13) # # There is insufficient memory for the Java Runtime Environment to continue. # Native memory allocation (malloc) failed to allocate 2555904 bytes for committing reserved memory. # An error report file with more information is saved as: # /root/hs_err_pid1270.log
Now i used the strace to see what happened and strace printed(small section) clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7fb15b6359d0) = 8268 close(4) = 0 read(3, "", 1048576) = 0 close(3) = 0 wait4(8268, Java HotSpot(TM) 64-Bit Server VM warning: INFO: os::commit_memory(0x00007f4579000000, 2555904, 1) failed; error='Permission denied' (errno=13)
I have enough space for sure
Can you guys please indicate what might be wrong ?
On Sun, Dec 28, 2014 at 9:54 PM, William Muriithi < william.muriithi@gmail.com> wrote:
Gupta,
You should share your selinux logs. They are under /var/log/audit directory. Trigger the problem again and share the last couple of hundred lines.
Before that though, find the directory openjdk installed and install sun java there. Don't think using root home directory is a good idea and selinux may be whining because of that. Or just install in /usr/local/bin
William
Hello all, Greeting and happy new year to all. I am trying to sandbox a java application using selinux sandbox. System details: Redhat 6 | x86_64 | no x server install | jdk7 from oracle tar.gz version | cgred and cgconfig are stop The cmd (run as root) sandbox /root/jdk/bin/java -version above cmd failed with /root/jdk/bin/java: error while loading shared libraries: libjli.so: cannot open shared object file: No such file or directory
Digging, revealed that "libjli.so" is RPATH shared library. so i thought ok since sandbox is copying my bin/java to /tmp/sandbox_random therefore a hardcode path will not be found. Then i change the RPATH using "chrpath" utility and changed it to a hardcode value But still it showed the same error.
Then i used the -M -i option of sandbox and ran following command (i included all the .so file it complaint about): sandbox -M -i /root/jdk/lib/amd64/jli/libjli.so -i /root/jdk/jre/lib/amd64/libjava.so -i /root/jdk/jre/lib/amd64/jvm.cfg -i /root/jdk/jre/lib/amd64/server/libjvm.so -i /root/jdk/jre/lib/amd64/libverify.so -i /root/jdk/jre/lib/amd64/libzip.so /root/jdk/bin/java -version
Following command resulted in this error: Java HotSpot(TM) 64-Bit Server VM warning: INFO: os::commit_memory(0x00007fb039000000, 2555904, 1) failed; error='Permission denied' (errno=13) # # There is insufficient memory for the Java Runtime Environment to continue. # Native memory allocation (malloc) failed to allocate 2555904 bytes for committing reserved memory. # An error report file with more information is saved as: # /root/hs_err_pid1270.log
Now i used the strace to see what happened and strace printed(small section) clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7fb15b6359d0) = 8268 close(4) = 0 read(3, "", 1048576) = 0 close(3) = 0 wait4(8268, Java HotSpot(TM) 64-Bit Server VM warning: INFO: os::commit_memory(0x00007f4579000000, 2555904, 1) failed; error='Permission denied' (errno=13)
I have enough space for sure
Can you guys please indicate what might be wrong ?
Hi Gupta,
Did you restart the audit daemon after clearing the logs? Just deleting the logs might have resulted in auditd continuing to write to the log you'd unlinked from its directory.
Hope that helps...
Phil
From: Bhuvan Gupta bhuvangu@gmail.com To: selinux@lists.fedoraproject.org Date: 29/12/2014 04:41 Subject: Re: Problem running "selinux sandbox" with java Sent by: selinux-bounces@lists.fedoraproject.org
sorry for the typo: [1] cleared all the /var/log/audit/* and ran the same command which give memory error and no logs were generated i.e empty directory.
On Sun, Dec 28, 2014 at 11:07 PM, Bhuvan Gupta bhuvangu@gmail.com wrote: Hello William, My current selinux settings are: SELINUX=enforcing SELINUXTYPE=targeted
[1] cleared all the /var/log/audit/* and ran the same command which give memory error and all logs were generated i.e empty directory.
[2] install openjdk using "yum install java-1.7.0-openjdk-devel" and ran the same command but using the openjdk java and it throw the same memory error OpenJDK 64-Bit Server VM warning: INFO: os::commit_memory (0x00007fdabd000000, 2555904, 1) failed; error='Permission denied' (errno=13) # # There is insufficient memory for the Java Runtime Environment to continue. # Native memory allocation (malloc) failed to allocate 2555904 bytes for committing reserved memory.
On Sun, Dec 28, 2014 at 9:54 PM, William Muriithi < william.muriithi@gmail.com> wrote:
Gupta,
You should share your selinux logs. They are under /var/log/audit directory. Trigger the problem again and share the last couple of hundred lines.
Before that though, find the directory openjdk installed and install sun java there. Don't think using root home directory is a good idea and selinux may be whining because of that. Or just install in /usr/local/bin
William
Hello all, Greeting and happy new year to all. I am trying to sandbox a java application using selinux sandbox. System details: Redhat 6 | x86_64 | no x server install | jdk7 from oracle tar.gz version | cgred and cgconfig are stop The cmd (run as root) sandbox /root/jdk/bin/java -version above cmd failed with /root/jdk/bin/java: error while loading shared libraries: libjli.so: cannot open shared object file: No such file or directory
Digging, revealed that "libjli.so" is RPATH shared library. so i thought ok since sandbox is copying my bin/java to /tmp/sandbox_random therefore a hardcode path will not be found. Then i change the RPATH using "chrpath" utility and changed it to a hardcode value But still it showed the same error.
Then i used the -M -i option of sandbox and ran following command (i included all the .so file it complaint about): sandbox -M -i /root/jdk/lib/amd64/jli/libjli.so -i /root/jdk/jre/lib/amd64/libjava.so -i /root/jdk/jre/lib/amd64/jvm.cfg -i /root/jdk/jre/lib/amd64/server/libjvm.so -i /root/jdk/jre/lib/amd64/libverify.so -i /root/jdk/jre/lib/amd64/libzip.so /root/jdk/bin/java -version
Following command resulted in this error: Java HotSpot(TM) 64-Bit Server VM warning: INFO: os::commit_memory (0x00007fb039000000, 2555904, 1) failed; error='Permission denied' (errno=13) # # There is insufficient memory for the Java Runtime Environment to continue. # Native memory allocation (malloc) failed to allocate 2555904 bytes for committing reserved memory. # An error report file with more information is saved as: # /root/hs_err_pid1270.log
Now i used the strace to see what happened and strace printed(small section) clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID| SIGCHLD, child_tidptr=0x7fb15b6359d0) = 8268 close(4) = 0 read(3, "", 1048576) = 0 close(3) = 0 wait4(8268, Java HotSpot(TM) 64-Bit Server VM warning: INFO: os::commit_memory(0x00007f4579000000, 2555904, 1) failed; error='Permission denied' (errno=13)
I have enough space for sure
Can you guys please indicate what might be wrong ?
On Sun, Dec 28, 2014 at 9:54 PM, William Muriithi < william.muriithi@gmail.com> wrote: Gupta,
You should share your selinux logs. They are under /var/log/audit directory. Trigger the problem again and share the last couple of hundred lines.
Before that though, find the directory openjdk installed and install sun java there. Don't think using root home directory is a good idea and selinux may be whining because of that. Or just install in /usr/local/bin
William
Hello all, Greeting and happy new year to all. I am trying to sandbox a java application using selinux sandbox. System details: Redhat 6 | x86_64 | no x server install | jdk7 from oracle tar.gz version | cgred and cgconfig are stop The cmd (run as root) sandbox /root/jdk/bin/java -version above cmd failed with /root/jdk/bin/java: error while loading shared libraries: libjli.so: cannot open shared object file: No such file or directory
Digging, revealed that "libjli.so" is RPATH shared library. so i thought ok since sandbox is copying my bin/java to /tmp/sandbox_random therefore a hardcode path will not be found. Then i change the RPATH using "chrpath" utility and changed it to a hardcode value But still it showed the same error.
Then i used the -M -i option of sandbox and ran following command (i included all the .so file it complaint about): sandbox -M -i /root/jdk/lib/amd64/jli/libjli.so -i /root/jdk/jre/lib/amd64/libjava.so -i /root/jdk/jre/lib/amd64/jvm.cfg -i /root/jdk/jre/lib/amd64/server/libjvm.so -i /root/jdk/jre/lib/amd64/libverify.so -i /root/jdk/jre/lib/amd64/libzip.so /root/jdk/bin/java -version
Following command resulted in this error: Java HotSpot(TM) 64-Bit Server VM warning: INFO: os::commit_memory (0x00007fb039000000, 2555904, 1) failed; error='Permission denied' (errno=13) # # There is insufficient memory for the Java Runtime Environment to continue. # Native memory allocation (malloc) failed to allocate 2555904 bytes for committing reserved memory. # An error report file with more information is saved as: # /root/hs_err_pid1270.log
Now i used the strace to see what happened and strace printed(small section) clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID| SIGCHLD, child_tidptr=0x7fb15b6359d0) = 8268 close(4) = 0 read(3, "", 1048576) = 0 close(3) = 0 wait4(8268, Java HotSpot(TM) 64-Bit Server VM warning: INFO: os::commit_memory(0x00007f4579000000, 2555904, 1) failed; error='Permission denied' (errno=13)
I have enough space for sure
Can you guys please indicate what might be wrong ?
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Hello Philip,
Yep you are right. restarting the audit daemon worked and it started giving error. I will analyze the logs and do some more test cycles and then post all my finding here.
On Mon, Dec 29, 2014 at 4:42 AM, Philip Seeley pseeley@au1.ibm.com wrote:
Hi Gupta,
Did you restart the audit daemon after clearing the logs? Just deleting the logs might have resulted in auditd continuing to write to the log you'd unlinked from its directory.
Hope that helps...
Phil
From: Bhuvan Gupta bhuvangu@gmail.com To: selinux@lists.fedoraproject.org Date: 29/12/2014 04:41 Subject: Re: Problem running "selinux sandbox" with java Sent by: selinux-bounces@lists.fedoraproject.org
sorry for the typo: [1] cleared all the /var/log/audit/* and ran the same command which give memory error and no logs were generated i.e empty directory.
On Sun, Dec 28, 2014 at 11:07 PM, Bhuvan Gupta bhuvangu@gmail.com wrote: Hello William, My current selinux settings are: SELINUX=enforcing SELINUXTYPE=targeted
[1] cleared all the /var/log/audit/* and ran the same command which give memory error and all logs were generated i.e empty directory.
[2] install openjdk using "yum install java-1.7.0-openjdk-devel" and ran the same command but using the openjdk java and it throw the same memory error OpenJDK 64-Bit Server VM warning: INFO: os::commit_memory (0x00007fdabd000000, 2555904, 1) failed; error='Permission denied' (errno=13) # # There is insufficient memory for the Java Runtime Environment to continue. # Native memory allocation (malloc) failed to allocate 2555904 bytes for committing reserved memory.
On Sun, Dec 28, 2014 at 9:54 PM, William Muriithi < william.muriithi@gmail.com> wrote:
Gupta,
You should share your selinux logs. They are under /var/log/audit directory. Trigger the problem again and share the last couple of hundred lines.
Before that though, find the directory openjdk installed and install sun java there. Don't think using root home directory is a good idea and selinux may be whining because of that. Or just install in /usr/local/bin
William
Hello all, Greeting and happy new year to all. I am trying to sandbox a java application using selinux sandbox. System details: Redhat 6 | x86_64 | no x server install | jdk7 from oracle tar.gz version | cgred and cgconfig are stop The cmd (run as root) sandbox /root/jdk/bin/java -version above cmd failed with /root/jdk/bin/java: error while loading shared libraries: libjli.so: cannot open shared object file: No such file or directory
Digging, revealed that "libjli.so" is RPATH shared library. so i thought ok since sandbox is copying my bin/java to /tmp/sandbox_random therefore a hardcode path will not be found. Then i change the RPATH using "chrpath" utility and changed it to a hardcode value But still it showed the same error.
Then i used the -M -i option of sandbox and ran following command (i included all the .so file it complaint about): sandbox -M -i /root/jdk/lib/amd64/jli/libjli.so -i /root/jdk/jre/lib/amd64/libjava.so -i /root/jdk/jre/lib/amd64/jvm.cfg -i /root/jdk/jre/lib/amd64/server/libjvm.so -i /root/jdk/jre/lib/amd64/libverify.so -i /root/jdk/jre/lib/amd64/libzip.so /root/jdk/bin/java -version
Following command resulted in this error: Java HotSpot(TM) 64-Bit Server VM warning: INFO: os::commit_memory (0x00007fb039000000, 2555904, 1) failed; error='Permission denied' (errno=13) # # There is insufficient memory for the Java Runtime Environment to continue. # Native memory allocation (malloc) failed to allocate 2555904 bytes for committing reserved memory. # An error report file with more information is saved as: # /root/hs_err_pid1270.log
Now i used the strace to see what happened and strace printed(small section) clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID| SIGCHLD, child_tidptr=0x7fb15b6359d0) = 8268 close(4) = 0 read(3, "", 1048576) = 0 close(3) = 0 wait4(8268, Java HotSpot(TM) 64-Bit Server VM warning: INFO: os::commit_memory(0x00007f4579000000, 2555904, 1) failed; error='Permission denied' (errno=13)
I have enough space for sure
Can you guys please indicate what might be wrong ?
On Sun, Dec 28, 2014 at 9:54 PM, William Muriithi < william.muriithi@gmail.com> wrote: Gupta,
You should share your selinux logs. They are under /var/log/audit directory. Trigger the problem again and share the last couple of hundred lines.
Before that though, find the directory openjdk installed and install sun java there. Don't think using root home directory is a good idea and selinux may be whining because of that. Or just install in /usr/local/bin
William
Hello all, Greeting and happy new year to all. I am trying to sandbox a java application using selinux sandbox. System details: Redhat 6 | x86_64 | no x server install | jdk7 from oracle tar.gz version | cgred and cgconfig are stop The cmd (run as root) sandbox /root/jdk/bin/java -version above cmd failed with /root/jdk/bin/java: error while loading shared libraries: libjli.so: cannot open shared object file: No such file or directory
Digging, revealed that "libjli.so" is RPATH shared library. so i thought ok since sandbox is copying my bin/java to /tmp/sandbox_random therefore a hardcode path will not be found. Then i change the RPATH using "chrpath" utility and changed it to a hardcode value But still it showed the same error.
Then i used the -M -i option of sandbox and ran following command (i included all the .so file it complaint about): sandbox -M -i /root/jdk/lib/amd64/jli/libjli.so -i /root/jdk/jre/lib/amd64/libjava.so -i /root/jdk/jre/lib/amd64/jvm.cfg -i /root/jdk/jre/lib/amd64/server/libjvm.so -i /root/jdk/jre/lib/amd64/libverify.so -i /root/jdk/jre/lib/amd64/libzip.so /root/jdk/bin/java -version
Following command resulted in this error: Java HotSpot(TM) 64-Bit Server VM warning: INFO: os::commit_memory (0x00007fb039000000, 2555904, 1) failed; error='Permission denied' (errno=13) # # There is insufficient memory for the Java Runtime Environment to continue. # Native memory allocation (malloc) failed to allocate 2555904 bytes for committing reserved memory. # An error report file with more information is saved as: # /root/hs_err_pid1270.log
Now i used the strace to see what happened and strace printed(small section) clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID| SIGCHLD, child_tidptr=0x7fb15b6359d0) = 8268 close(4) = 0 read(3, "", 1048576) = 0 close(3) = 0 wait4(8268, Java HotSpot(TM) 64-Bit Server VM warning: INFO: os::commit_memory(0x00007f4579000000, 2555904, 1) failed; error='Permission denied' (errno=13)
I have enough space for sure
Can you guys please indicate what might be wrong ?
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
*The issue is Resolved*. It turn out to be that the labeling of the file related to java(both openjdk and oracle java) was not correct in my redhat 6 system. When i upgraded from redhat 6 to redhat 7 it started working all fine i.e *sandbox java -version *worked perfectly with no problems.
In my redhat 7 system the .so and other java related file are labeled as one of the following: *system_u:object_r:textrel_shlib_t:s0*
*system_u:object_r:lib_t:s0*
in my earlier machine i.e redhat 6 all file were marked as something differently and hence i was getting the issue.
Thanks Bhuvan
On Mon, Dec 29, 2014 at 11:28 PM, Bhuvan Gupta bhuvangu@gmail.com wrote:
Hello Philip,
Yep you are right. restarting the audit daemon worked and it started giving error. I will analyze the logs and do some more test cycles and then post all my finding here.
On Mon, Dec 29, 2014 at 4:42 AM, Philip Seeley pseeley@au1.ibm.com wrote:
Hi Gupta,
Did you restart the audit daemon after clearing the logs? Just deleting the logs might have resulted in auditd continuing to write to the log you'd unlinked from its directory.
Hope that helps...
Phil
From: Bhuvan Gupta bhuvangu@gmail.com To: selinux@lists.fedoraproject.org Date: 29/12/2014 04:41 Subject: Re: Problem running "selinux sandbox" with java Sent by: selinux-bounces@lists.fedoraproject.org
sorry for the typo: [1] cleared all the /var/log/audit/* and ran the same command which give memory error and no logs were generated i.e empty directory.
On Sun, Dec 28, 2014 at 11:07 PM, Bhuvan Gupta bhuvangu@gmail.com wrote: Hello William, My current selinux settings are: SELINUX=enforcing SELINUXTYPE=targeted
[1] cleared all the /var/log/audit/* and ran the same command which give memory error and all logs were generated i.e empty directory.
[2] install openjdk using "yum install java-1.7.0-openjdk-devel" and ran the same command but using the openjdk java and it throw the same memory error OpenJDK 64-Bit Server VM warning: INFO: os::commit_memory (0x00007fdabd000000, 2555904, 1) failed; error='Permission denied' (errno=13) # # There is insufficient memory for the Java Runtime Environment to continue. # Native memory allocation (malloc) failed to allocate 2555904 bytes for committing reserved memory.
On Sun, Dec 28, 2014 at 9:54 PM, William Muriithi < william.muriithi@gmail.com> wrote:
Gupta,
You should share your selinux logs. They are under /var/log/audit directory. Trigger the problem again and share the last couple of hundred lines.
Before that though, find the directory openjdk installed and install sun java there. Don't think using root home directory is a good idea and selinux may be whining because of that. Or just install in /usr/local/bin
William
Hello all, Greeting and happy new year to all. I am trying to sandbox a java application using selinux sandbox. System details: Redhat 6 | x86_64 | no x server install | jdk7 from oracle tar.gz version | cgred and cgconfig are stop The cmd (run as root) sandbox /root/jdk/bin/java -version above cmd failed with /root/jdk/bin/java: error while loading shared libraries: libjli.so: cannot open shared object file: No such file or directory
Digging, revealed that "libjli.so" is RPATH shared library. so i thought ok since sandbox is copying my bin/java to /tmp/sandbox_random therefore a hardcode path will not be found. Then i change the RPATH using "chrpath" utility and changed it to a hardcode value But still it showed the same error.
Then i used the -M -i option of sandbox and ran following command (i included all the .so file it complaint about): sandbox -M -i /root/jdk/lib/amd64/jli/libjli.so -i /root/jdk/jre/lib/amd64/libjava.so -i /root/jdk/jre/lib/amd64/jvm.cfg -i /root/jdk/jre/lib/amd64/server/libjvm.so -i /root/jdk/jre/lib/amd64/libverify.so -i /root/jdk/jre/lib/amd64/libzip.so /root/jdk/bin/java -version
Following command resulted in this error: Java HotSpot(TM) 64-Bit Server VM warning: INFO: os::commit_memory (0x00007fb039000000, 2555904, 1) failed; error='Permission denied' (errno=13) # # There is insufficient memory for the Java Runtime Environment to continue. # Native memory allocation (malloc) failed to allocate 2555904 bytes for committing reserved memory. # An error report file with more information is saved as: # /root/hs_err_pid1270.log
Now i used the strace to see what happened and strace printed(small section) clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID| SIGCHLD, child_tidptr=0x7fb15b6359d0) = 8268 close(4) = 0 read(3, "", 1048576) = 0 close(3) = 0 wait4(8268, Java HotSpot(TM) 64-Bit Server VM warning: INFO: os::commit_memory(0x00007f4579000000, 2555904, 1) failed; error='Permission denied' (errno=13)
I have enough space for sure
Can you guys please indicate what might be wrong ?
On Sun, Dec 28, 2014 at 9:54 PM, William Muriithi < william.muriithi@gmail.com> wrote: Gupta,
You should share your selinux logs. They are under /var/log/audit directory. Trigger the problem again and share the last couple of hundred lines.
Before that though, find the directory openjdk installed and install sun java there. Don't think using root home directory is a good idea and selinux may be whining because of that. Or just install in /usr/local/bin
William
Hello all, Greeting and happy new year to all. I am trying to sandbox a java application using selinux sandbox. System details: Redhat 6 | x86_64 | no x server install | jdk7 from oracle tar.gz version | cgred and cgconfig are stop The cmd (run as root) sandbox /root/jdk/bin/java -version above cmd failed with /root/jdk/bin/java: error while loading shared libraries: libjli.so: cannot open shared object file: No such file or directory
Digging, revealed that "libjli.so" is RPATH shared library. so i thought ok since sandbox is copying my bin/java to /tmp/sandbox_random therefore a hardcode path will not be found. Then i change the RPATH using "chrpath" utility and changed it to a hardcode value But still it showed the same error.
Then i used the -M -i option of sandbox and ran following command (i included all the .so file it complaint about): sandbox -M -i /root/jdk/lib/amd64/jli/libjli.so -i /root/jdk/jre/lib/amd64/libjava.so -i /root/jdk/jre/lib/amd64/jvm.cfg -i /root/jdk/jre/lib/amd64/server/libjvm.so -i /root/jdk/jre/lib/amd64/libverify.so -i /root/jdk/jre/lib/amd64/libzip.so /root/jdk/bin/java -version
Following command resulted in this error: Java HotSpot(TM) 64-Bit Server VM warning: INFO: os::commit_memory (0x00007fb039000000, 2555904, 1) failed; error='Permission denied' (errno=13) # # There is insufficient memory for the Java Runtime Environment to continue. # Native memory allocation (malloc) failed to allocate 2555904 bytes for committing reserved memory. # An error report file with more information is saved as: # /root/hs_err_pid1270.log
Now i used the strace to see what happened and strace printed(small section) clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID| SIGCHLD, child_tidptr=0x7fb15b6359d0) = 8268 close(4) = 0 read(3, "", 1048576) = 0 close(3) = 0 wait4(8268, Java HotSpot(TM) 64-Bit Server VM warning: INFO: os::commit_memory(0x00007f4579000000, 2555904, 1) failed; error='Permission denied' (errno=13)
I have enough space for sure
Can you guys please indicate what might be wrong ?
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
selinux@lists.fedoraproject.org