SELinux blocks tomcat web application to load Java native library (JNI) from /tmp folder

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
0
down vote

favorite












I have a Centos 7 with Tomcat installed and tomcat user



ls -l /var/lib/tomcat
total 0
drwxrwxrwx. 5 root tomcat 84 Jul 3 13:18 webapps


SELinux is enforcing and a Java web application which tries to load Java native library (JNI) from shared object files .so in /tmp/ folder cannot work.



 java.lang.UnsatisfiedLinkError: /tmp/app/gdal_java/2018.07.03.14.52.59/libosrjni.so: 
/tmp/app/gdal_java/2018.07.03.14.52.59/libosrjni.so: failed to map segment from shared object: Permission denied


If I disable SELinux, there is no problem to load these files in the Java web application. The permission of this file is:



ls -lZ /tmp/app/gdal_java/2018.07.03.14.52.59/libosrjni.so
-rwxrwxrwx. tomcat tomcat system_u:object_r:tomcat_tmp_t:s0 /tmp/app/gdal_java/2018.07.03.14.52.59/libosrjni.so


How can I configure SELinux to allow tomcat user to load these files from /tmp/app/ folder?



I have tried with this command and restart tomcat but it still has same error



sudo semanage fcontext -a -t tomcat_tmp_t '/tmp/app_*/(.*)?'






share|improve this question















  • 1




    Did you run this after? - restorecon -rv /tmp?
    – slm♦
    Jul 3 at 15:16














up vote
0
down vote

favorite












I have a Centos 7 with Tomcat installed and tomcat user



ls -l /var/lib/tomcat
total 0
drwxrwxrwx. 5 root tomcat 84 Jul 3 13:18 webapps


SELinux is enforcing and a Java web application which tries to load Java native library (JNI) from shared object files .so in /tmp/ folder cannot work.



 java.lang.UnsatisfiedLinkError: /tmp/app/gdal_java/2018.07.03.14.52.59/libosrjni.so: 
/tmp/app/gdal_java/2018.07.03.14.52.59/libosrjni.so: failed to map segment from shared object: Permission denied


If I disable SELinux, there is no problem to load these files in the Java web application. The permission of this file is:



ls -lZ /tmp/app/gdal_java/2018.07.03.14.52.59/libosrjni.so
-rwxrwxrwx. tomcat tomcat system_u:object_r:tomcat_tmp_t:s0 /tmp/app/gdal_java/2018.07.03.14.52.59/libosrjni.so


How can I configure SELinux to allow tomcat user to load these files from /tmp/app/ folder?



I have tried with this command and restart tomcat but it still has same error



sudo semanage fcontext -a -t tomcat_tmp_t '/tmp/app_*/(.*)?'






share|improve this question















  • 1




    Did you run this after? - restorecon -rv /tmp?
    – slm♦
    Jul 3 at 15:16












up vote
0
down vote

favorite









up vote
0
down vote

favorite











I have a Centos 7 with Tomcat installed and tomcat user



ls -l /var/lib/tomcat
total 0
drwxrwxrwx. 5 root tomcat 84 Jul 3 13:18 webapps


SELinux is enforcing and a Java web application which tries to load Java native library (JNI) from shared object files .so in /tmp/ folder cannot work.



 java.lang.UnsatisfiedLinkError: /tmp/app/gdal_java/2018.07.03.14.52.59/libosrjni.so: 
/tmp/app/gdal_java/2018.07.03.14.52.59/libosrjni.so: failed to map segment from shared object: Permission denied


If I disable SELinux, there is no problem to load these files in the Java web application. The permission of this file is:



ls -lZ /tmp/app/gdal_java/2018.07.03.14.52.59/libosrjni.so
-rwxrwxrwx. tomcat tomcat system_u:object_r:tomcat_tmp_t:s0 /tmp/app/gdal_java/2018.07.03.14.52.59/libosrjni.so


How can I configure SELinux to allow tomcat user to load these files from /tmp/app/ folder?



I have tried with this command and restart tomcat but it still has same error



sudo semanage fcontext -a -t tomcat_tmp_t '/tmp/app_*/(.*)?'






share|improve this question











I have a Centos 7 with Tomcat installed and tomcat user



ls -l /var/lib/tomcat
total 0
drwxrwxrwx. 5 root tomcat 84 Jul 3 13:18 webapps


SELinux is enforcing and a Java web application which tries to load Java native library (JNI) from shared object files .so in /tmp/ folder cannot work.



 java.lang.UnsatisfiedLinkError: /tmp/app/gdal_java/2018.07.03.14.52.59/libosrjni.so: 
/tmp/app/gdal_java/2018.07.03.14.52.59/libosrjni.so: failed to map segment from shared object: Permission denied


If I disable SELinux, there is no problem to load these files in the Java web application. The permission of this file is:



ls -lZ /tmp/app/gdal_java/2018.07.03.14.52.59/libosrjni.so
-rwxrwxrwx. tomcat tomcat system_u:object_r:tomcat_tmp_t:s0 /tmp/app/gdal_java/2018.07.03.14.52.59/libosrjni.so


How can I configure SELinux to allow tomcat user to load these files from /tmp/app/ folder?



I have tried with this command and restart tomcat but it still has same error



sudo semanage fcontext -a -t tomcat_tmp_t '/tmp/app_*/(.*)?'








share|improve this question










share|improve this question




share|improve this question









asked Jul 3 at 15:08









Bằng Rikimaru

13013




13013







  • 1




    Did you run this after? - restorecon -rv /tmp?
    – slm♦
    Jul 3 at 15:16












  • 1




    Did you run this after? - restorecon -rv /tmp?
    – slm♦
    Jul 3 at 15:16







1




1




Did you run this after? - restorecon -rv /tmp?
– slm♦
Jul 3 at 15:16




Did you run this after? - restorecon -rv /tmp?
– slm♦
Jul 3 at 15:16










2 Answers
2






active

oldest

votes

















up vote
1
down vote













I think you forgot to run restorecon after defining the fcontext:



$ semanage fcontext -a -t tomcat_tmp_t "/tmp/app_*(/.*)?"
$ restorecon -rv /tmp


References



  • https://noobient.com/post/165972214381/selinux-woes-with-tomcat-on-centos-74





share|improve this answer





















  • I tried and it doesn't work. sudo restorecon -rv /tmp/app/ restorecon: Warning no default label for /tmp/app
    – Bằng Rikimaru
    Jul 3 at 15:31










  • @BằngRikimaru - this CentOS 7?
    – slm♦
    Jul 3 at 15:36










  • yes, and the /tmp/app already has the permission with 'system_u:object_r:tomcat_tmp_t'
    – Bằng Rikimaru
    Jul 3 at 15:39










  • @BằngRikimaru - which tomcat 7 or 8?
    – slm♦
    Jul 3 at 15:54











  • It is tomcat7 and user created 'tomcat' from tomcat.noarch package
    – Bằng Rikimaru
    Jul 3 at 15:58

















up vote
-1
down vote













I use audit2allow tool to allow tomcat can have multiple permission (read, execute) on this /tmp/app folder.



https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/sect-security-enhanced_linux-fixing_problems-allowing_access_audit2allow



cat /var/log/audit/audit.log | audit2allow -a





share|improve this answer





















    Your Answer







    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "106"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    convertImagesToLinks: false,
    noModals: false,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );








     

    draft saved


    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f453248%2fselinux-blocks-tomcat-web-application-to-load-java-native-library-jni-from-tm%23new-answer', 'question_page');

    );

    Post as a guest






























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    1
    down vote













    I think you forgot to run restorecon after defining the fcontext:



    $ semanage fcontext -a -t tomcat_tmp_t "/tmp/app_*(/.*)?"
    $ restorecon -rv /tmp


    References



    • https://noobient.com/post/165972214381/selinux-woes-with-tomcat-on-centos-74





    share|improve this answer





















    • I tried and it doesn't work. sudo restorecon -rv /tmp/app/ restorecon: Warning no default label for /tmp/app
      – Bằng Rikimaru
      Jul 3 at 15:31










    • @BằngRikimaru - this CentOS 7?
      – slm♦
      Jul 3 at 15:36










    • yes, and the /tmp/app already has the permission with 'system_u:object_r:tomcat_tmp_t'
      – Bằng Rikimaru
      Jul 3 at 15:39










    • @BằngRikimaru - which tomcat 7 or 8?
      – slm♦
      Jul 3 at 15:54











    • It is tomcat7 and user created 'tomcat' from tomcat.noarch package
      – Bằng Rikimaru
      Jul 3 at 15:58














    up vote
    1
    down vote













    I think you forgot to run restorecon after defining the fcontext:



    $ semanage fcontext -a -t tomcat_tmp_t "/tmp/app_*(/.*)?"
    $ restorecon -rv /tmp


    References



    • https://noobient.com/post/165972214381/selinux-woes-with-tomcat-on-centos-74





    share|improve this answer





















    • I tried and it doesn't work. sudo restorecon -rv /tmp/app/ restorecon: Warning no default label for /tmp/app
      – Bằng Rikimaru
      Jul 3 at 15:31










    • @BằngRikimaru - this CentOS 7?
      – slm♦
      Jul 3 at 15:36










    • yes, and the /tmp/app already has the permission with 'system_u:object_r:tomcat_tmp_t'
      – Bằng Rikimaru
      Jul 3 at 15:39










    • @BằngRikimaru - which tomcat 7 or 8?
      – slm♦
      Jul 3 at 15:54











    • It is tomcat7 and user created 'tomcat' from tomcat.noarch package
      – Bằng Rikimaru
      Jul 3 at 15:58












    up vote
    1
    down vote










    up vote
    1
    down vote









    I think you forgot to run restorecon after defining the fcontext:



    $ semanage fcontext -a -t tomcat_tmp_t "/tmp/app_*(/.*)?"
    $ restorecon -rv /tmp


    References



    • https://noobient.com/post/165972214381/selinux-woes-with-tomcat-on-centos-74





    share|improve this answer













    I think you forgot to run restorecon after defining the fcontext:



    $ semanage fcontext -a -t tomcat_tmp_t "/tmp/app_*(/.*)?"
    $ restorecon -rv /tmp


    References



    • https://noobient.com/post/165972214381/selinux-woes-with-tomcat-on-centos-74






    share|improve this answer













    share|improve this answer



    share|improve this answer











    answered Jul 3 at 15:22









    slm♦

    233k65479651




    233k65479651











    • I tried and it doesn't work. sudo restorecon -rv /tmp/app/ restorecon: Warning no default label for /tmp/app
      – Bằng Rikimaru
      Jul 3 at 15:31










    • @BằngRikimaru - this CentOS 7?
      – slm♦
      Jul 3 at 15:36










    • yes, and the /tmp/app already has the permission with 'system_u:object_r:tomcat_tmp_t'
      – Bằng Rikimaru
      Jul 3 at 15:39










    • @BằngRikimaru - which tomcat 7 or 8?
      – slm♦
      Jul 3 at 15:54











    • It is tomcat7 and user created 'tomcat' from tomcat.noarch package
      – Bằng Rikimaru
      Jul 3 at 15:58
















    • I tried and it doesn't work. sudo restorecon -rv /tmp/app/ restorecon: Warning no default label for /tmp/app
      – Bằng Rikimaru
      Jul 3 at 15:31










    • @BằngRikimaru - this CentOS 7?
      – slm♦
      Jul 3 at 15:36










    • yes, and the /tmp/app already has the permission with 'system_u:object_r:tomcat_tmp_t'
      – Bằng Rikimaru
      Jul 3 at 15:39










    • @BằngRikimaru - which tomcat 7 or 8?
      – slm♦
      Jul 3 at 15:54











    • It is tomcat7 and user created 'tomcat' from tomcat.noarch package
      – Bằng Rikimaru
      Jul 3 at 15:58















    I tried and it doesn't work. sudo restorecon -rv /tmp/app/ restorecon: Warning no default label for /tmp/app
    – Bằng Rikimaru
    Jul 3 at 15:31




    I tried and it doesn't work. sudo restorecon -rv /tmp/app/ restorecon: Warning no default label for /tmp/app
    – Bằng Rikimaru
    Jul 3 at 15:31












    @BằngRikimaru - this CentOS 7?
    – slm♦
    Jul 3 at 15:36




    @BằngRikimaru - this CentOS 7?
    – slm♦
    Jul 3 at 15:36












    yes, and the /tmp/app already has the permission with 'system_u:object_r:tomcat_tmp_t'
    – Bằng Rikimaru
    Jul 3 at 15:39




    yes, and the /tmp/app already has the permission with 'system_u:object_r:tomcat_tmp_t'
    – Bằng Rikimaru
    Jul 3 at 15:39












    @BằngRikimaru - which tomcat 7 or 8?
    – slm♦
    Jul 3 at 15:54





    @BằngRikimaru - which tomcat 7 or 8?
    – slm♦
    Jul 3 at 15:54













    It is tomcat7 and user created 'tomcat' from tomcat.noarch package
    – Bằng Rikimaru
    Jul 3 at 15:58




    It is tomcat7 and user created 'tomcat' from tomcat.noarch package
    – Bằng Rikimaru
    Jul 3 at 15:58












    up vote
    -1
    down vote













    I use audit2allow tool to allow tomcat can have multiple permission (read, execute) on this /tmp/app folder.



    https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/sect-security-enhanced_linux-fixing_problems-allowing_access_audit2allow



    cat /var/log/audit/audit.log | audit2allow -a





    share|improve this answer

























      up vote
      -1
      down vote













      I use audit2allow tool to allow tomcat can have multiple permission (read, execute) on this /tmp/app folder.



      https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/sect-security-enhanced_linux-fixing_problems-allowing_access_audit2allow



      cat /var/log/audit/audit.log | audit2allow -a





      share|improve this answer























        up vote
        -1
        down vote










        up vote
        -1
        down vote









        I use audit2allow tool to allow tomcat can have multiple permission (read, execute) on this /tmp/app folder.



        https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/sect-security-enhanced_linux-fixing_problems-allowing_access_audit2allow



        cat /var/log/audit/audit.log | audit2allow -a





        share|improve this answer













        I use audit2allow tool to allow tomcat can have multiple permission (read, execute) on this /tmp/app folder.



        https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/sect-security-enhanced_linux-fixing_problems-allowing_access_audit2allow



        cat /var/log/audit/audit.log | audit2allow -a






        share|improve this answer













        share|improve this answer



        share|improve this answer











        answered Jul 4 at 7:34









        Bằng Rikimaru

        13013




        13013






















             

            draft saved


            draft discarded


























             


            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f453248%2fselinux-blocks-tomcat-web-application-to-load-java-native-library-jni-from-tm%23new-answer', 'question_page');

            );

            Post as a guest













































































            Popular posts from this blog

            How to check contact read email or not when send email to Individual?

            Displaying single band from multi-band raster using QGIS

            How many registers does an x86_64 CPU actually have?