Bug 2068609

Summary: SELinux blocks the execution of ibm-semeru-open-17-jdk and ibm-semeru-open-11-jdk java verisons
Product: Red Hat Enterprise Linux 9 Reporter: Tiago Bueno <tbueno>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 9.0CC: jdanek, lvrabec, mmalik, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-03-28 06:47:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tiago Bueno 2022-03-25 19:20:51 UTC 
Description of problem:
Not able to run ibm-semeru-open-17-jdk java on most recent rhel 9. 
SELinux is blocking the execution of ibm-semeru-open-17-jdk java

NOTE: The same happens with ibm-semeru-open-11-jdk

Version-Release number of selected component (if applicable):
selinux-policy-34.1.27-1.el9.noarch
selinux-policy-targeted-34.1.27-1.el9.noarch


How reproducible:


Steps to Reproduce:
1. install rpm package: dnf install -y https://github.com/ibmruntimes/semeru17-binaries/releases/download/jdk-17.0.2%2B8_openj9-0.30.0/ibm-semeru-open-17-jdk-17.0.2.8_0.30.0-1.x86_64.rpm
2.run: /usr/lib/jvm/ibm-semeru-open-17-jdk/bin/java -version


Actual results:
/usr/lib/jvm/ibm-semeru-open-17-jdk/bin/java -version
libjvm.so preloadLibrary(/usr/lib/jvm/ibm-semeru-open-17-jdk/lib/default/libj9vm29.so): /usr/lib/jvm/ibm-semeru-open-17-jdk/lib/default/libj9vm29.so: cannot enable executable stack as shared object requires: Permission denied
libjvm.so failed to load: j9vm29

Expected results:
/usr/lib/jvm/ibm-semeru-open-17-jdk/bin/java -version
openjdk version "17.0.2" 2022-01-18
IBM Semeru Runtime Open Edition 17.0.2.0 (build 17.0.2+8)
Eclipse OpenJ9 VM 17.0.2.0 (build openj9-0.30.0, JRE 17 Linux amd64-64-Bit Compressed References 20220128_115 (JIT enabled, AOT enabled)
OpenJ9   - 9dccbe076
OMR      - dac962a28
JCL      - 64cd399ca28 based on jdk-17.0.2+8)

Additional info:
By downgrading the selinux-policy and selinux-policy-targeted from version 34.1.27-1 to version 34.1.22-1 the issue do not occur.

SELinux logs from /var/log/message
Mar 25 20:07:28 localhost setroubleshoot[4533]: SELinux is preventing /opt/adopt_j9-java-11/bin/java from using the execstack access on a process. For complete SELinux messages run: sealert -l d02c252a-5f90-449a-a24b-d9cca0471bfe
Mar 25 20:07:28 localhost setroubleshoot[4533]: SELinux is preventing /opt/adopt_j9-java-11/bin/java from using the execstack access on a process.#012#012*****  Plugin restorecon_source (84.5 confidence) suggests   *****************#012#012If you want to fix the label. #012/opt/adopt_j9-java-11/bin/java default label should be bin_t.#012Then you can run restorecon.#012Do#012# /sbin/restorecon -v /opt/adopt_j9-java-11/bin/java#012#012*****  Plugin allow_execstack (8.90 confidence) suggests   *******************#012#012If you believe that #012None#012should not require execstack#012Then you should clear the execstack flag and see if /opt/adopt_j9-java-11/bin/java works correctly.#012Report this as a bug on None.#012You can clear the exestack flag by executing:#012Do#012execstack -c None#012#012*****  Plugin catchall_boolean (7.22 confidence) suggests   ******************#012#012If you want to allow selinuxuser to execstack#012Then you must tell SELinux about this by enabling the 'selinuxuser_execstack' boolean.#012#012Do#012setsebool -P selinuxuser_execstack 1#012#012*****  Plugin catchall (1.34 confidence) suggests   **************************#012#012If you believe that java should be allowed execstack access on processes labeled unconfined_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'java' --raw | audit2allow -M my-java#012# semodule -X 300 -i my-java.pp#012
Comment 1 Zdenek Pytela 2022-03-28 06:47:49 UTC 
The AVC denial is missing, but symptoms looks like a previously reported bz which is now fixed.

*** This bug has been marked as a duplicate of bug 2064274 ***