SELinux blocks tomcat web application to load Java native library (JNI) from /tmp folder
Clash Royale CLAN TAG#URR8PPP
up vote
0
down vote
favorite
I have a Centos 7 with Tomcat installed and tomcat user
ls -l /var/lib/tomcat
total 0
drwxrwxrwx. 5 root tomcat 84 Jul 3 13:18 webapps
SELinux is enforcing and a Java web application which tries to load Java native library (JNI) from shared object files .so in /tmp/ folder cannot work.
java.lang.UnsatisfiedLinkError: /tmp/app/gdal_java/2018.07.03.14.52.59/libosrjni.so:
/tmp/app/gdal_java/2018.07.03.14.52.59/libosrjni.so: failed to map segment from shared object: Permission denied
If I disable SELinux, there is no problem to load these files in the Java web application. The permission of this file is:
ls -lZ /tmp/app/gdal_java/2018.07.03.14.52.59/libosrjni.so
-rwxrwxrwx. tomcat tomcat system_u:object_r:tomcat_tmp_t:s0 /tmp/app/gdal_java/2018.07.03.14.52.59/libosrjni.so
How can I configure SELinux to allow tomcat user to load these files from /tmp/app/ folder?
I have tried with this command and restart tomcat but it still has same error
sudo semanage fcontext -a -t tomcat_tmp_t '/tmp/app_*/(.*)?'
linux centos security selinux tomcat
add a comment |Â
up vote
0
down vote
favorite
I have a Centos 7 with Tomcat installed and tomcat user
ls -l /var/lib/tomcat
total 0
drwxrwxrwx. 5 root tomcat 84 Jul 3 13:18 webapps
SELinux is enforcing and a Java web application which tries to load Java native library (JNI) from shared object files .so in /tmp/ folder cannot work.
java.lang.UnsatisfiedLinkError: /tmp/app/gdal_java/2018.07.03.14.52.59/libosrjni.so:
/tmp/app/gdal_java/2018.07.03.14.52.59/libosrjni.so: failed to map segment from shared object: Permission denied
If I disable SELinux, there is no problem to load these files in the Java web application. The permission of this file is:
ls -lZ /tmp/app/gdal_java/2018.07.03.14.52.59/libosrjni.so
-rwxrwxrwx. tomcat tomcat system_u:object_r:tomcat_tmp_t:s0 /tmp/app/gdal_java/2018.07.03.14.52.59/libosrjni.so
How can I configure SELinux to allow tomcat user to load these files from /tmp/app/ folder?
I have tried with this command and restart tomcat but it still has same error
sudo semanage fcontext -a -t tomcat_tmp_t '/tmp/app_*/(.*)?'
linux centos security selinux tomcat
1
Did you run this after? -restorecon -rv /tmp
?
â slmâ¦
Jul 3 at 15:16
add a comment |Â
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I have a Centos 7 with Tomcat installed and tomcat user
ls -l /var/lib/tomcat
total 0
drwxrwxrwx. 5 root tomcat 84 Jul 3 13:18 webapps
SELinux is enforcing and a Java web application which tries to load Java native library (JNI) from shared object files .so in /tmp/ folder cannot work.
java.lang.UnsatisfiedLinkError: /tmp/app/gdal_java/2018.07.03.14.52.59/libosrjni.so:
/tmp/app/gdal_java/2018.07.03.14.52.59/libosrjni.so: failed to map segment from shared object: Permission denied
If I disable SELinux, there is no problem to load these files in the Java web application. The permission of this file is:
ls -lZ /tmp/app/gdal_java/2018.07.03.14.52.59/libosrjni.so
-rwxrwxrwx. tomcat tomcat system_u:object_r:tomcat_tmp_t:s0 /tmp/app/gdal_java/2018.07.03.14.52.59/libosrjni.so
How can I configure SELinux to allow tomcat user to load these files from /tmp/app/ folder?
I have tried with this command and restart tomcat but it still has same error
sudo semanage fcontext -a -t tomcat_tmp_t '/tmp/app_*/(.*)?'
linux centos security selinux tomcat
I have a Centos 7 with Tomcat installed and tomcat user
ls -l /var/lib/tomcat
total 0
drwxrwxrwx. 5 root tomcat 84 Jul 3 13:18 webapps
SELinux is enforcing and a Java web application which tries to load Java native library (JNI) from shared object files .so in /tmp/ folder cannot work.
java.lang.UnsatisfiedLinkError: /tmp/app/gdal_java/2018.07.03.14.52.59/libosrjni.so:
/tmp/app/gdal_java/2018.07.03.14.52.59/libosrjni.so: failed to map segment from shared object: Permission denied
If I disable SELinux, there is no problem to load these files in the Java web application. The permission of this file is:
ls -lZ /tmp/app/gdal_java/2018.07.03.14.52.59/libosrjni.so
-rwxrwxrwx. tomcat tomcat system_u:object_r:tomcat_tmp_t:s0 /tmp/app/gdal_java/2018.07.03.14.52.59/libosrjni.so
How can I configure SELinux to allow tomcat user to load these files from /tmp/app/ folder?
I have tried with this command and restart tomcat but it still has same error
sudo semanage fcontext -a -t tomcat_tmp_t '/tmp/app_*/(.*)?'
linux centos security selinux tomcat
asked Jul 3 at 15:08
Bằng Rikimaru
13013
13013
1
Did you run this after? -restorecon -rv /tmp
?
â slmâ¦
Jul 3 at 15:16
add a comment |Â
1
Did you run this after? -restorecon -rv /tmp
?
â slmâ¦
Jul 3 at 15:16
1
1
Did you run this after? -
restorecon -rv /tmp
?â slmâ¦
Jul 3 at 15:16
Did you run this after? -
restorecon -rv /tmp
?â slmâ¦
Jul 3 at 15:16
add a comment |Â
2 Answers
2
active
oldest
votes
up vote
1
down vote
I think you forgot to run restorecon
after defining the fcontext:
$ semanage fcontext -a -t tomcat_tmp_t "/tmp/app_*(/.*)?"
$ restorecon -rv /tmp
References
- https://noobient.com/post/165972214381/selinux-woes-with-tomcat-on-centos-74
I tried and it doesn't work. sudo restorecon -rv /tmp/app/ restorecon: Warning no default label for /tmp/app
â Bằng Rikimaru
Jul 3 at 15:31
@BằngRikimaru - this CentOS 7?
â slmâ¦
Jul 3 at 15:36
yes, and the /tmp/app already has the permission with 'system_u:object_r:tomcat_tmp_t'
â Bằng Rikimaru
Jul 3 at 15:39
@BằngRikimaru - which tomcat 7 or 8?
â slmâ¦
Jul 3 at 15:54
It is tomcat7 and user created 'tomcat' from tomcat.noarch package
â Bằng Rikimaru
Jul 3 at 15:58
add a comment |Â
up vote
-1
down vote
I use audit2allow tool to allow tomcat can have multiple permission (read, execute) on this /tmp/app folder.
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/sect-security-enhanced_linux-fixing_problems-allowing_access_audit2allow
cat /var/log/audit/audit.log | audit2allow -a
add a comment |Â
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
1
down vote
I think you forgot to run restorecon
after defining the fcontext:
$ semanage fcontext -a -t tomcat_tmp_t "/tmp/app_*(/.*)?"
$ restorecon -rv /tmp
References
- https://noobient.com/post/165972214381/selinux-woes-with-tomcat-on-centos-74
I tried and it doesn't work. sudo restorecon -rv /tmp/app/ restorecon: Warning no default label for /tmp/app
â Bằng Rikimaru
Jul 3 at 15:31
@BằngRikimaru - this CentOS 7?
â slmâ¦
Jul 3 at 15:36
yes, and the /tmp/app already has the permission with 'system_u:object_r:tomcat_tmp_t'
â Bằng Rikimaru
Jul 3 at 15:39
@BằngRikimaru - which tomcat 7 or 8?
â slmâ¦
Jul 3 at 15:54
It is tomcat7 and user created 'tomcat' from tomcat.noarch package
â Bằng Rikimaru
Jul 3 at 15:58
add a comment |Â
up vote
1
down vote
I think you forgot to run restorecon
after defining the fcontext:
$ semanage fcontext -a -t tomcat_tmp_t "/tmp/app_*(/.*)?"
$ restorecon -rv /tmp
References
- https://noobient.com/post/165972214381/selinux-woes-with-tomcat-on-centos-74
I tried and it doesn't work. sudo restorecon -rv /tmp/app/ restorecon: Warning no default label for /tmp/app
â Bằng Rikimaru
Jul 3 at 15:31
@BằngRikimaru - this CentOS 7?
â slmâ¦
Jul 3 at 15:36
yes, and the /tmp/app already has the permission with 'system_u:object_r:tomcat_tmp_t'
â Bằng Rikimaru
Jul 3 at 15:39
@BằngRikimaru - which tomcat 7 or 8?
â slmâ¦
Jul 3 at 15:54
It is tomcat7 and user created 'tomcat' from tomcat.noarch package
â Bằng Rikimaru
Jul 3 at 15:58
add a comment |Â
up vote
1
down vote
up vote
1
down vote
I think you forgot to run restorecon
after defining the fcontext:
$ semanage fcontext -a -t tomcat_tmp_t "/tmp/app_*(/.*)?"
$ restorecon -rv /tmp
References
- https://noobient.com/post/165972214381/selinux-woes-with-tomcat-on-centos-74
I think you forgot to run restorecon
after defining the fcontext:
$ semanage fcontext -a -t tomcat_tmp_t "/tmp/app_*(/.*)?"
$ restorecon -rv /tmp
References
- https://noobient.com/post/165972214381/selinux-woes-with-tomcat-on-centos-74
answered Jul 3 at 15:22
slmâ¦
233k65479651
233k65479651
I tried and it doesn't work. sudo restorecon -rv /tmp/app/ restorecon: Warning no default label for /tmp/app
â Bằng Rikimaru
Jul 3 at 15:31
@BằngRikimaru - this CentOS 7?
â slmâ¦
Jul 3 at 15:36
yes, and the /tmp/app already has the permission with 'system_u:object_r:tomcat_tmp_t'
â Bằng Rikimaru
Jul 3 at 15:39
@BằngRikimaru - which tomcat 7 or 8?
â slmâ¦
Jul 3 at 15:54
It is tomcat7 and user created 'tomcat' from tomcat.noarch package
â Bằng Rikimaru
Jul 3 at 15:58
add a comment |Â
I tried and it doesn't work. sudo restorecon -rv /tmp/app/ restorecon: Warning no default label for /tmp/app
â Bằng Rikimaru
Jul 3 at 15:31
@BằngRikimaru - this CentOS 7?
â slmâ¦
Jul 3 at 15:36
yes, and the /tmp/app already has the permission with 'system_u:object_r:tomcat_tmp_t'
â Bằng Rikimaru
Jul 3 at 15:39
@BằngRikimaru - which tomcat 7 or 8?
â slmâ¦
Jul 3 at 15:54
It is tomcat7 and user created 'tomcat' from tomcat.noarch package
â Bằng Rikimaru
Jul 3 at 15:58
I tried and it doesn't work. sudo restorecon -rv /tmp/app/ restorecon: Warning no default label for /tmp/app
â Bằng Rikimaru
Jul 3 at 15:31
I tried and it doesn't work. sudo restorecon -rv /tmp/app/ restorecon: Warning no default label for /tmp/app
â Bằng Rikimaru
Jul 3 at 15:31
@BằngRikimaru - this CentOS 7?
â slmâ¦
Jul 3 at 15:36
@BằngRikimaru - this CentOS 7?
â slmâ¦
Jul 3 at 15:36
yes, and the /tmp/app already has the permission with 'system_u:object_r:tomcat_tmp_t'
â Bằng Rikimaru
Jul 3 at 15:39
yes, and the /tmp/app already has the permission with 'system_u:object_r:tomcat_tmp_t'
â Bằng Rikimaru
Jul 3 at 15:39
@BằngRikimaru - which tomcat 7 or 8?
â slmâ¦
Jul 3 at 15:54
@BằngRikimaru - which tomcat 7 or 8?
â slmâ¦
Jul 3 at 15:54
It is tomcat7 and user created 'tomcat' from tomcat.noarch package
â Bằng Rikimaru
Jul 3 at 15:58
It is tomcat7 and user created 'tomcat' from tomcat.noarch package
â Bằng Rikimaru
Jul 3 at 15:58
add a comment |Â
up vote
-1
down vote
I use audit2allow tool to allow tomcat can have multiple permission (read, execute) on this /tmp/app folder.
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/sect-security-enhanced_linux-fixing_problems-allowing_access_audit2allow
cat /var/log/audit/audit.log | audit2allow -a
add a comment |Â
up vote
-1
down vote
I use audit2allow tool to allow tomcat can have multiple permission (read, execute) on this /tmp/app folder.
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/sect-security-enhanced_linux-fixing_problems-allowing_access_audit2allow
cat /var/log/audit/audit.log | audit2allow -a
add a comment |Â
up vote
-1
down vote
up vote
-1
down vote
I use audit2allow tool to allow tomcat can have multiple permission (read, execute) on this /tmp/app folder.
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/sect-security-enhanced_linux-fixing_problems-allowing_access_audit2allow
cat /var/log/audit/audit.log | audit2allow -a
I use audit2allow tool to allow tomcat can have multiple permission (read, execute) on this /tmp/app folder.
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/sect-security-enhanced_linux-fixing_problems-allowing_access_audit2allow
cat /var/log/audit/audit.log | audit2allow -a
answered Jul 4 at 7:34
Bằng Rikimaru
13013
13013
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f453248%2fselinux-blocks-tomcat-web-application-to-load-java-native-library-jni-from-tm%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
1
Did you run this after? -
restorecon -rv /tmp
?â slmâ¦
Jul 3 at 15:16