Selinux 阻止启动 Tomcat

Selinux 阻止启动 Tomcat

我在 RHEL 8 上启动 tomcat 时遇到问题:

[root@TEST ~]# systemctl restart tomcat.service
Job for tomcat.service failed because the control process exited with error code.
See "systemctl status tomcat.service" and "journalctl -xe" for details.
[root@TEST ~]#

在 journalctl 中我可以看到:

-- Unit tomcat.service has begun starting up.
Dec 08 14:58:30 TEST systemd[3869]: tomcat.service: Failed to execute command: Permission denied
Dec 08 14:58:30 TEST systemd[3869]: tomcat.service: Failed at step EXEC spawning /mnt/efs/tomcat9/bin/catalina.sh: Permission denied
-- Subject: Process /mnt/efs/tomcat9/bin/catalina.sh could not be executed
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
--
-- The process /mnt/efs/tomcat9/bin/catalina.sh could not be executed and failed.
--
-- The error number returned by this process is 13.
Dec 08 14:58:30 TEST systemd[1]: tomcat.service: Control process exited, code=exited status=203
Dec 08 14:58:30 TEST systemd[1]: tomcat.service: Failed with result 'exit-code'.
Dec 08 14:58:30 TEST systemd[1]: Failed to start Apache Tomcat Server.
-- Subject: Unit tomcat.service has failed

问题仅出现在 SELinux 处于强制模式时,当我关闭 Selinux 时,tomcat 能够正确启动。

catalina.sh 文件的权限和上下文:

[root@TEST ~]# ls -lZ /mnt/efs/tomcat9/bin/catalina.sh
-rwxr-x--x. 1 tomcat tomcat system_u:object_r:unconfined_exec_t:s0 23567 Oct  7 09:57 /mnt/efs/tomcat9/bin/catalina.sh
[root@TEST ~]#

看来 SELinux 正在阻止 systemd 从该路径启动脚本,但不知道如何改变它。

您有什么想法吗?有人在 Selinux 上遇到过同样的问题吗?

多谢!

答案1

您必须修复应用程序所在目录的文件上下文。

这通常通过使用semanage -a -t "correct context" "dir"和来实现restorecon -Rv "directory"。以下链接将为您提供帮助:

根据您的应用程序的具体功能,可能还需要调整一些 SELinux 布尔值。

相关内容