CentOS Java application error with SELinux

Question

I have a CentOS box hosting a Drupal 7 site. I've attempted to run a Java application called Tika on it, to index files using Apache Solr search.

I keep running into an issue only when SELinux is enabled:

extract using tika: OpenJDK 64-Bit Server VM warning: INFO: os::commit_memory(0x00007f1ed9000000, 2555904, 1) failed; error='Permission denied' (errno=13)
#
# There is insufficient memory for the Java Runtime Environment to continue.
# Native memory allocation (malloc) failed to allocate 2555904 bytes for committing reserved memory.
# An error report file with more information is saved as:
# /tmp/jvm-2356/hs_error.log

This does not happen if I disable selinux. If I run the command from SSH, it works fine -- but not in browser. This is the command it is running:

java '-Dfile.encoding=UTF8' -cp '/var/www/drupal/sites/all/modules/contrib/apachesolr_attachments/tika' -jar '/var/www/drupal/sites/all/modules/contrib/apachesolr_attachments/tika/tika-app-1.11.jar' -t '/var/www/drupal/sites/all/modules/contrib/apachesolr_attachments/tests/test-tika.pdf'

Here is the log from SELinux at /var/log/audit/audit.log:

type=AVC msg=audit(1454636072.494:3351): avc:  denied  { execmem } for  pid=11285 comm="java" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=process
type=SYSCALL msg=audit(1454636072.494:3351): arch=c000003e syscall=9 success=no exit=-13 a0=7fdfe5000000 a1=270000 a2=7 a3=32 items=0 ppid=2377 pid=11285 auid=506 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.95.x86_64/jre/bin/java" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

Is there a way I can run this with SELinux enabled? I do not know the policy name of Tika (or should I use Java?) so I'm unsure where to go from here...

Answer 1

This worked for me... I have tika at /var/apache-tika/tika-app-1.14.jar

setsebool -P httpd_execmem 1
chcon -t httpd_exec_t /var/apache-tika/tika-app-1.14.jar

Using the sealert tools ( https://wiki.centos.org/HowTos/SELinux ) helped track down the correct selinux type.

Answer 2

All of your context messages reference httpd_t , so I would run

/usr/sbin/getsebool -a | grep httpd

And experiment with enabling properties that show as off . It's been a while since I ran a database-backed website (Drupal, WordPress, etc.) on CentOS, but as I recall, these two were required to be enabled:

httpd_can_network_connect
httpd_can_network_connect_db

to enable a property with persistence, run

setsebool -P httpd_can_network_connect on

etc.

Answer 3

The booleans you're looking for are:

httpd_execmem

httpd_read_user_content

How to find:

audit2why -i /var/log/audit/audit.log will tell you this.

Part of package: policycoreutils-python-utils