0

I have a Centos 7 with Tomcat installed and tomcat user 

ls -l /var/lib/tomcat total 0 drwxrwxrwx. 5 root tomcat 84 Jul 3 13:18 webapps

SELinux is enforcing and a Java web application which tries to load Java native library (JNI) from shared object files .so in /tmp/ folder cannot work.

 java.lang.UnsatisfiedLinkError: /tmp/app/gdal_java/2018.07.03.14.52.59/libosrjni.so: /tmp/app/gdal_java/2018.07.03.14.52.59/libosrjni.so: failed to map segment from shared object: Permission denied

If I disable SELinux, there is no problem to load these files in the Java web application. The permission of this file is:

ls -lZ /tmp/app/gdal_java/2018.07.03.14.52.59/libosrjni.so -rwxrwxrwx. tomcat tomcat system_u:object_r:tomcat_tmp_t:s0 /tmp/app/gdal_java/2018.07.03.14.52.59/libosrjni.so

How can I configure SELinux to allow tomcat user to load these files from /tmp/app/ folder?

I have tried with this command and restart tomcat but it still has same error

sudo semanage fcontext -a -t tomcat_tmp_t '/tmp/app_*/(.*)?'
Improve this question
1
  • 1
    Look in /var/log/audit.log for the deny message and use audit2allow to generate an updated policy. Commented Jul 3, 2018 at 15:23

1 Answer 1

Reset to default
1

I use audit2allow tool from @jordanm's comment to allow tomcat can have multiple permission (read, execute) on this /tmp/app folder.

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/sect-security-enhanced_linux-fixing_problems-allowing_access_audit2allow

cat /var/log/audit/audit.log | audit2allow -a
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.