我在 RHEL 8 上启动 tomcat 时遇到问题:
[root@TEST ~]# systemctl restart tomcat.service
Job for tomcat.service failed because the control process exited with error code.
See "systemctl status tomcat.service" and "journalctl -xe" for details.
[root@TEST ~]#
在 journalctl 中我可以看到:
-- Unit tomcat.service has begun starting up.
Dec 08 14:58:30 TEST systemd[3869]: tomcat.service: Failed to execute command: Permission denied
Dec 08 14:58:30 TEST systemd[3869]: tomcat.service: Failed at step EXEC spawning /mnt/efs/tomcat9/bin/catalina.sh: Permission denied
-- Subject: Process /mnt/efs/tomcat9/bin/catalina.sh could not be executed
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
--
-- The process /mnt/efs/tomcat9/bin/catalina.sh could not be executed and failed.
--
-- The error number returned by this process is 13.
Dec 08 14:58:30 TEST systemd[1]: tomcat.service: Control process exited, code=exited status=203
Dec 08 14:58:30 TEST systemd[1]: tomcat.service: Failed with result 'exit-code'.
Dec 08 14:58:30 TEST systemd[1]: Failed to start Apache Tomcat Server.
-- Subject: Unit tomcat.service has failed
问题仅出现在 SELinux 处于强制模式时,当我关闭 Selinux 时,tomcat 能够正确启动。
catalina.sh 文件的权限和上下文:
[root@TEST ~]# ls -lZ /mnt/efs/tomcat9/bin/catalina.sh
-rwxr-x--x. 1 tomcat tomcat system_u:object_r:unconfined_exec_t:s0 23567 Oct 7 09:57 /mnt/efs/tomcat9/bin/catalina.sh
[root@TEST ~]#
看来 SELinux 正在阻止 systemd 从该路径启动脚本,但不知道如何改变它。
您有什么想法吗?有人在 Selinux 上遇到过同样的问题吗?
多谢!
答案1
您必须修复应用程序所在目录的文件上下文。
这通常通过使用semanage -a -t "correct context" "dir"和来实现restorecon -Rv "directory"。以下链接将为您提供帮助:
- https://www.systutorials.com/docs/linux/man/8-tomcat_selinux/
- https://noobient.com/2017/10/02/selinux-woes-with-tomcat-on-centos-74/
根据您的应用程序的具体功能,可能还需要调整一些 SELinux 布尔值。