SELinux policys keeping Tomcat from starting

br flag

On a newly built Oracle Linux 8 server i added a drive and file system, then put put Apache Tomcat on that file system via the tarball. Now when starting Tomcat via a services file, I get an error saying Tomcat has not started, and my journalctl file shows the following:

Apr 04 09:53:17 t-einv systemd[1]: Failed to start Apache Tomcat Web Application Container. -- Subject: Unit tomcat.service has failed -- Defined-By: systemd -- Support:

-- Unit tomcat.service has failed.

-- The result is failed. Apr 04 09:53:17 t-einv setroubleshoot[2924]: Cancel pending alarm Apr 04 09:53:17 t-einv setroubleshoot[2924]: SELinux is preventing /usr/lib/systemd/systemd from execute_no_trans access on the file /u01/tomcat/bin/ For complete SELinux messages run: sealert -l 97dddf7a-4f8a-4> Apr 04 09:53:17 t-einv setroubleshoot[2924]: SELinux is preventing /usr/lib/systemd/systemd from execute_no_trans access on the file /u01/tomcat/bin/

                                         *****  Plugin catchall (100. confidence) suggests   **************************

                                         If you believe that systemd should be allowed execute_no_trans access on the file by default.
                                         Then you should report this as a bug.
                                         You can generate a local policy module to allow this access.
                                         allow this access for now by executing:
                                         # ausearch -c '(' --raw | audit2allow -M my-artupsh
                                         # semodule -X 300 -i my-artupsh.pp

Apr 04 09:53:17 t-einv setroubleshoot[2924]: Set alarm timeout to 10

ruunig ls -FlasZ on the tomcate/bin directory shows the following selinux policies on

unconfined_u:object_r:default_t:s0 1904 Apr 3 09:27*

Any ideas on how wo change the policy permanently to get this running?

us flag

For security sake, webservers cannot execute a writable file with the default selinux policy.

If it is needed (for cached compiled files for example), run setsebool -P httpd_execmem 1.

If it isn't, remove the write permissions on the files you need tomcat to execute. (/u01/tomcat/bin/ here)

Also, I find it easier to understand denials with audit2allow -a command.

I sit in a Tesla and translated this thread with Ai:


Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.