9

Short version: What is the most secure way to allow Java 7 to run on (with?) SELinux?

Long version:

Sorry in advance if I use incorrect terminology. I'm really just a Java developer with a meager smattering of Linux skills.

I just installed Java 7 on CentOS release 5.3 (Final) that is apparently has Security Enhanced Linux. After the install was complete (which I "installed" by unzipping the tar.gz file from Oracle in /usr/java/jdk/jdk1.7.0_25), I ran java -version and got this error:

Error: dl failure on line 864
Error: failed /usr/java/jdk1.7.0_25/jre/lib/i386/server/libjvm.so,
      because /usr/java/jdk1.7.0_25/jre/lib/i386/server/libjvm.so:
      cannot restore segment prot after reloc: Permission denied`

I found a few articles stating this can be due to SELinux and to try setenforce 0 and see if the problem goes away. I ran that command and Java worked. But these same articles say that leaving setenforce 0 on an Internet connected host is dangerous, and my host is connected to the Internet.

There are other articles that suggest this next approach, but also say it can be dangerous, so I haven't tried it yet.

chcon -t textrel_shlib_t /usr/jre1.7.0_10/lib/i386/client/libjvm.so

...in the above command the path at the end of the command is replaced with the path of my JDK.

What I can't find is something "official" (which can mean many things) on how to run Java 7 on (with?) SELinux safely. Does anyone have any information for me?

Edit: I discovered an article that referred to editing /etc/selinux/config. I have set as shown in the sample below. This allows Java to run but I assume I now have some security holes.

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - SELinux is fully disabled.
SELINUX=permissive
# SELINUXTYPE= type of policy in use. Possible values are:
#       targeted - Only targeted network daemons are protected.
#       strict - Full SELinux protection.
SELINUXTYPE=targeted
John Fitzpatrick
  • 239
  • 3
  • 6

1 Answers1

2

  1. Clean up the current installation

  2. Download the RPM file (http://www.oracle.com/technetwork/java/javase/downloads/jdk7-downloads-1880260.html)

    yum -y localinstall /path/to/downloaded-java.rpm

rest will be taken care.

user44441
  • 291
  • 1
  • 2
  • 7
  • Thanks. Can you elaborate on "Clean up the current installation"? Do you mean remove what I installed? – John Fitzpatrick Aug 06 '13 at 20:34
  • Yes, that's right! Remove your current Oracle Java installation. Please follow "Self-extracting file uninstall" http://www.java.com/en/download/help/linux_uninstall.xml#self – user44441 Aug 07 '13 at 11:21
  • 4
    Why is this the solution? – Lightness Races in Orbit Oct 28 '15 at 19:05
  • If @LightnessRacesinOrbit doesn't know why this is the proper solution, please read up on [What SELinux is](http://selinuxproject.org/page/Main_Page). Basically the RPM script sets the proper permissions ACL's etc – eyoung100 Oct 29 '15 at 22:37
  • 3
    @eyoung100: No, my point is that this answer does not explain anything. It should explain _why_ removing and replacing the installation should resolve the problem, as well as giving the steps to do so. Also I ask because I installed from RPM but still got the problem. – Lightness Races in Orbit Oct 29 '15 at 23:43