[DSE-Dev] Bug#758083: selinux-policy-default: Installing openjdk-7-jre-headless fails with 'Native memory allocation (malloc) failed' if enforcing

Andreas Florath andre at flonatel.org
Thu Aug 14 06:20:28 UTC 2014 

Package: selinux-policy-default
Version: 2:2.20140421-4
Severity: normal

Dear Maintainer,

installing openjdk fails if enforcing:

root at debselinux01:~# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             default
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      29
root at debselinux01:~# se_apt-get install openjdk-7-jre-headless
[...]
Setting up openjdk-7-jre-headless:amd64 (7u65-2.5.1-4) ...
update-alternatives: using /usr/lib/jvm/java-7-openjdk-amd64/jre/bin/rmid to provide /usr/bin/rmid (rmid) in auto mode
update-alternatives: using /usr/lib/jvm/java-7-openjdk-amd64/jre/bin/java to provide /usr/bin/java (java) in auto mode
update-alternatives: using /usr/lib/jvm/java-7-openjdk-amd64/jre/bin/keytool to provide /usr/bin/keytool (keytool) in auto mode
update-alternatives: using /usr/lib/jvm/java-7-openjdk-amd64/jre/bin/pack200 to provide /usr/bin/pack200 (pack200) in auto mode
update-alternatives: using /usr/lib/jvm/java-7-openjdk-amd64/jre/bin/rmiregistry to provide /usr/bin/rmiregistry (rmiregistry) in auto mode
update-alternatives: using /usr/lib/jvm/java-7-openjdk-amd64/jre/bin/unpack200 to provide /usr/bin/unpack200 (unpack200) in auto mode
update-alternatives: using /usr/lib/jvm/java-7-openjdk-amd64/jre/bin/orbd to provide /usr/bin/orbd (orbd) in auto mode
update-alternatives: using /usr/lib/jvm/java-7-openjdk-amd64/jre/bin/servertool to provide /usr/bin/servertool (servertool) in auto mode
update-alternatives: using /usr/lib/jvm/java-7-openjdk-amd64/jre/bin/tnameserv to provide /usr/bin/tnameserv (tnameserv) in auto mode
update-alternatives: using /usr/lib/jvm/java-7-openjdk-amd64/jre/lib/jexec to provide /usr/bin/jexec (jexec) in auto mode
OpenJDK 64-Bit Server VM warning: INFO: os::commit_memory(0x00007f9d407c8000, 2555904, 1) failed; error='Permission denied' (errno=13)
#
# There is insufficient memory for the Java Runtime Environment to continue.
# Native memory allocation (malloc) failed to allocate 2555904 bytes for committing reserved memory.
# An error report file with more information is saved as:
# //hs_err_pid2638.log
ignoring dump failure
Setting up icedtea-7-jre-jamvm:amd64 (7u65-2.5.1-4) ...
Setting up ca-certificates-java (20140324) ...
OpenJDK 64-Bit Server VM warning: INFO: os::commit_memory(0x00007fe689000000, 2555904, 1) failed; error='Permission denied' (errno=13)
#
# There is insufficient memory for the Java Runtime Environment to continue.
# Native memory allocation (malloc) failed to allocate 2555904 bytes for committing reserved memory.
# An error report file with more information is saved as:
# //hs_err_pid2657.log
OpenJDK 64-Bit Server VM warning: INFO: os::commit_memory(0x00007f325d000000, 2555904, 1) failed; error='Permission denied' (errno=13)
#
# There is insufficient memory for the Java Runtime Environment to continue.
# Native memory allocation (malloc) failed to allocate 2555904 bytes for committing reserved memory.
# An error report file with more information is saved as:
# //hs_err_pid2661.log
done.
Processing triggers for libc-bin (2.19-7) ...
Processing triggers for ca-certificates (20140325) ...
Updating certificates in /etc/ssl/certs... 168 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....
OpenJDK 64-Bit Server VM warning: INFO: os::commit_memory(0x00007fb560beb000, 2555904, 1) failed; error='Permission denied' (errno=13)
#
# There is insufficient memory for the Java Runtime Environment to continue.
# Native memory allocation (malloc) failed to allocate 2555904 bytes for committing reserved memory.
# An error report file with more information is saved as:
# /etc/ssl/certs/hs_err_pid4218.log
E: /etc/ca-certificates/update.d/jks-keystore exited with code 1.
done.

The following AVCs are logged:

type=AVC msg=audit(1407996485.840:107): avc:  denied  { execmem } for  pid=2639 comm="java" scontext=system_u:system_r:dpkg_script_t:s0 tcontext=system_u:system_r:dpkg_script_t:s0 tclass=process
type=SYSCALL msg=audit(1407996485.840:107): arch=c000003e syscall=9 success=no exit=-13 a0=7f9d407c8000 a1=270000 a2=7 a3=32 items=0 ppid=2622 pid=2639 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="java" exe="/usr/lib/jvm/java-7-openjdk-amd64/jre/bin/java" subj=system_u:system_r:dpkg_script_t:s0 key=(null)
type=AVC msg=audit(1407996485.940:108): avc:  denied  { execmem } for  pid=2658 comm="java" scontext=system_u:system_r:dpkg_script_t:s0 tcontext=system_u:system_r:dpkg_script_t:s0 tclass=process
type=SYSCALL msg=audit(1407996485.940:108): arch=c000003e syscall=9 success=no exit=-13 a0=7fe689000000 a1=270000 a2=7 a3=32 items=0 ppid=2643 pid=2658 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="java" exe="/usr/lib/jvm/java-7-openjdk-amd64/jre/bin/java" subj=system_u:system_r:dpkg_script_t:s0 key=(null)
type=AVC msg=audit(1407996485.948:109): avc:  denied  { execmem } for  pid=2662 comm="java" scontext=system_u:system_r:dpkg_script_t:s0 tcontext=system_u:system_r:dpkg_script_t:s0 tclass=process
type=SYSCALL msg=audit(1407996485.948:109): arch=c000003e syscall=9 success=no exit=-13 a0=7f325d000000 a1=270000 a2=7 a3=32 items=0 ppid=2643 pid=2662 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="java" exe="/usr/lib/jvm/java-7-openjdk-amd64/jre/bin/java" subj=system_u:system_r:dpkg_script_t:s0 key=(null)
type=AVC msg=audit(1407996487.380:110): avc:  denied  { execmem } for  pid=4219 comm="java" scontext=system_u:system_r:dpkg_script_t:s0 tcontext=system_u:system_r:dpkg_script_t:s0 tclass=process
type=SYSCALL msg=audit(1407996487.380:110): arch=c000003e syscall=9 success=no exit=-13 a0=7fb560beb000 a1=270000 a2=7 a3=32 items=0 ppid=4200 pid=4219 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="java" exe="/usr/lib/jvm/java-7-openjdk-amd64/jre/bin/java" subj=system_u:system_r:dpkg_script_t:s0 key=(null)

Kind regards

Andre


-- System Information:
Debian Release: jessie/sid
  APT prefers testing-updates
  APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.14-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages selinux-policy-default depends on:
ii  libpam-modules   1.1.8-3
ii  libselinux1      2.3-1
ii  libsepol1        2.3-1
ii  policycoreutils  2.3-1
ii  python           2.7.8-1
ii  selinux-utils    2.3-1

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  2.3-1
ii  setools      3.3.8-3

Versions of packages selinux-policy-default suggests:
pn  logcheck        <none>
pn  syslog-summary  <none>

-- no debconf information

More information about the SELinux-devel mailing list