SELinx issue on Rocky with running Temurin from systemd service

[william00179]

Please provide a brief summary of the bug

Following the installation instructions for Temurin here java is installed onto a Rocky 8 VM (official Rocky AMI on AWS).

If I take any JAR and run it from my current SSH session ie, java -jar myspringapp.jar the application will run.

If I try to create a systemd service to run this JAR as a service, the service will fail to start with a cryptic error pointing to an issue with memory.

Error occurred during initialization of VM
Failed to mark memory page as executable - check if grsecurity/PaX is enabled

Looking at SELinux alerts, we can see

type=PROCTITLE msg=audit(1668052345.560:140): proctitle=2F7573722F62696E2F6A617661002D6A617200676174657761792E6A6172
type=SYSCALL msg=audit(1668052345.560:140): arch=c00000b7 syscall=226 success=no exit=-13 a0=ffffab5e0000 a1=10000 a2=6 a3=22 items=0 ppid=1 pid=4685 auid=4294967295 uid=990 gid=987 euid=990 suid=990 fsuid=990 egid=987 sgid=987 fsgid=987 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/temurin-18-jdk/bin/java" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1668052345.560:140): avc:  denied  { execmem } for  pid=4685 comm="java" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=process permissive=0

I suspect that the location temurin is being installed to is outside of the default locations allowed by SELinux with systemd.

Other java builds installed from default Rocky repos work correctly and do not have this issue.

Please provide steps to reproduce where possible

No response

Expected Results

The service should start normally.

Actual Results

The service fails to start with

Error occurred during initialization of VM
Failed to mark memory page as executable - check if grsecurity/PaX is enabled

What Java Version are you using?

openjdk 18.0.2.1 2022-08-18 OpenJDK Runtime Environment Temurin-18.0.2.1+1 (build 18.0.2.1+1) OpenJDK 64-Bit Server VM Temurin-18.0.2.1+1 (build 18.0.2.1+1, mixed mode)

What is your operating system and platform?

Rocky 8 on ARM64

How did you install Java?

Packages via instructions on https://adoptium.net/installation/linux/

Did it work before?

No response

Did you test with other Java versions?

Yes also tried with other Temurin java versions and had the same result.

Relevant log output

No response

[karianna]

@william00179

FYI - 18.0.2 is no longer supported so you'll want to move to 19.0.1

https://stackoverflow.com/questions/27262629/jvm-cant-map-reserved-memory-when-running-in-docker-container/27300434#27300434 may also help

[github-actions]

We are marking this issue as stale because it has not been updated for a while. This is just a way to keep the support issues queue manageable.
It will be closed soon unless the stale label is removed by a committer, or a new comment is made.

[gnu-andrew]

This issue should be solved by Temurin using a directory in the standard form of java-<version>-<vendor> which will then match the existing SELinux policy rule:

/usr/lib/jvm/java(.*/)bin(/.*)?	--	gen_context(system_u:object_r:java_exec_t,s0)

Once the Java binaries have the java_exec_t context, they will have permission to use executable stack.

[smlambert]

related: adoptium/installer#1008