RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2068609 - SELinux blocks the execution of ibm-semeru-open-17-jdk and ibm-semeru-open-11-jdk java verisons
Summary: SELinux blocks the execution of ibm-semeru-open-17-jdk and ibm-semeru-open-11...
Keywords:
Status: CLOSED DUPLICATE of bug 2064274
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: selinux-policy
Version: 9.0
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Zdenek Pytela
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-03-25 19:20 UTC by Tiago Bueno
Modified: 2022-07-07 09:51 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-03-28 06:47:49 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-116871 0 None None None 2022-03-25 19:22:21 UTC

Description Tiago Bueno 2022-03-25 19:20:51 UTC 
Description of problem:
Not able to run ibm-semeru-open-17-jdk java on most recent rhel 9. 
SELinux is blocking the execution of ibm-semeru-open-17-jdk java

NOTE: The same happens with ibm-semeru-open-11-jdk

Version-Release number of selected component (if applicable):
selinux-policy-34.1.27-1.el9.noarch
selinux-policy-targeted-34.1.27-1.el9.noarch


How reproducible:


Steps to Reproduce:
1. install rpm package: dnf install -y https://github.com/ibmruntimes/semeru17-binaries/releases/download/jdk-17.0.2%2B8_openj9-0.30.0/ibm-semeru-open-17-jdk-17.0.2.8_0.30.0-1.x86_64.rpm
2.run: /usr/lib/jvm/ibm-semeru-open-17-jdk/bin/java -version


Actual results:
/usr/lib/jvm/ibm-semeru-open-17-jdk/bin/java -version
libjvm.so preloadLibrary(/usr/lib/jvm/ibm-semeru-open-17-jdk/lib/default/libj9vm29.so): /usr/lib/jvm/ibm-semeru-open-17-jdk/lib/default/libj9vm29.so: cannot enable executable stack as shared object requires: Permission denied
libjvm.so failed to load: j9vm29

Expected results:
/usr/lib/jvm/ibm-semeru-open-17-jdk/bin/java -version
openjdk version "17.0.2" 2022-01-18
IBM Semeru Runtime Open Edition 17.0.2.0 (build 17.0.2+8)
Eclipse OpenJ9 VM 17.0.2.0 (build openj9-0.30.0, JRE 17 Linux amd64-64-Bit Compressed References 20220128_115 (JIT enabled, AOT enabled)
OpenJ9   - 9dccbe076
OMR      - dac962a28
JCL      - 64cd399ca28 based on jdk-17.0.2+8)

Additional info:
By downgrading the selinux-policy and selinux-policy-targeted from version 34.1.27-1 to version 34.1.22-1 the issue do not occur.

SELinux logs from /var/log/message
Mar 25 20:07:28 localhost setroubleshoot[4533]: SELinux is preventing /opt/adopt_j9-java-11/bin/java from using the execstack access on a process. For complete SELinux messages run: sealert -l d02c252a-5f90-449a-a24b-d9cca0471bfe
Mar 25 20:07:28 localhost setroubleshoot[4533]: SELinux is preventing /opt/adopt_j9-java-11/bin/java from using the execstack access on a process.#012#012*****  Plugin restorecon_source (84.5 confidence) suggests   *****************#012#012If you want to fix the label. #012/opt/adopt_j9-java-11/bin/java default label should be bin_t.#012Then you can run restorecon.#012Do#012# /sbin/restorecon -v /opt/adopt_j9-java-11/bin/java#012#012*****  Plugin allow_execstack (8.90 confidence) suggests   *******************#012#012If you believe that #012None#012should not require execstack#012Then you should clear the execstack flag and see if /opt/adopt_j9-java-11/bin/java works correctly.#012Report this as a bug on None.#012You can clear the exestack flag by executing:#012Do#012execstack -c None#012#012*****  Plugin catchall_boolean (7.22 confidence) suggests   ******************#012#012If you want to allow selinuxuser to execstack#012Then you must tell SELinux about this by enabling the 'selinuxuser_execstack' boolean.#012#012Do#012setsebool -P selinuxuser_execstack 1#012#012*****  Plugin catchall (1.34 confidence) suggests   **************************#012#012If you believe that java should be allowed execstack access on processes labeled unconfined_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'java' --raw | audit2allow -M my-java#012# semodule -X 300 -i my-java.pp#012
Comment 1 Zdenek Pytela 2022-03-28 06:47:49 UTC 
The AVC denial is missing, but symptoms looks like a previously reported bz which is now fixed.

*** This bug has been marked as a duplicate of bug 2064274 ***
Note You need to log in before you can comment on or make changes to this bug.