I have a Centos 7 with Tomcat installed and tomcat user
ls -l /var/lib/tomcat
total 0
drwxrwxrwx. 5 root tomcat 84 Jul 3 13:18 webapps
SELinux is enforcing and a Java web application which tries to load Java native library (JNI) from shared object files .so in /tmp/ folder cannot work.
java.lang.UnsatisfiedLinkError: /tmp/app/gdal_java/2018.07.03.14.52.59/libosrjni.so:
/tmp/app/gdal_java/2018.07.03.14.52.59/libosrjni.so: failed to map segment from shared object: Permission denied
If I disable SELinux, there is no problem to load these files in the Java web application. The permission of this file is:
ls -lZ /tmp/app/gdal_java/2018.07.03.14.52.59/libosrjni.so
-rwxrwxrwx. tomcat tomcat system_u:object_r:tomcat_tmp_t:s0 /tmp/app/gdal_java/2018.07.03.14.52.59/libosrjni.so
How can I configure SELinux to allow tomcat user to load these files from /tmp/app/ folder?
I have tried with this command and restart tomcat but it still has same error
sudo semanage fcontext -a -t tomcat_tmp_t '/tmp/app_*/(.*)?'
Best Answer
I use audit2allow tool from @jordanm's comment to allow tomcat can have multiple permission (read, execute) on this /tmp/app folder.
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/sect-security-enhanced_linux-fixing_problems-allowing_access_audit2allow