问题描述

我对正在处理的程序进行了一些更改，并且我已经将Java从Java 6更新为Java 7.

I've made some changes on a program I'm working on and I've updated Java from Java 6 to Java 7.

我正在运行程序在CentOS 5.8 32位虚拟机上。

I am running the program on a CentOS 5.8 32-bit VM.

在Java更新之前它工作正常。

Before the Java update it worked fine.

现在这个过程不是从错误开始：

Now the process isn't starting with the error:

 [root@CentOS-58-i-0 bin]# ./agent.sh start

 Starting Agent.....d. running (23442).
 Error: dl failure on line 864
 Error: failed /agent/jre/lib/i386/client/libjvm.so,
 because /agent/jre/lib/i386/client/libjvm.so:
 cannot restore segment prot after reloc: Permission denied

我在线查看解决方案/解决方法是运行命令：

I've checked online and the solution/workaround for this is to run the command:

   setenforce 0

它会起作用。

阅读 setenforce上的文档命令，我不明白它的作用以及它是如何解决问题的。

Reading the documentation on the setenforce command, I didn't understand what it does and how did it solve the problem.

所以我的问题是：

1. 什么可能导致错误导致我无法启动流程？


2. 为什么 setenforce 命令解决它？


3. 请简要解释 setenforce 的一般情况。

1. What may cause the error that prevents me from starting my process?
2. Why does the setenforce command solve it?
3. Please give a short explanation of what setenforce does in general.

推荐答案

这个问题是由SELinux强制执行访问策略引起的，该策略禁止该应用程序更改内存保护属性内存段

This problem is caused by SELinux enforcing an access policy which forbids that application changing the memory protection attributes of a memory segment

CentOS，Fedora，Scientific Linux和RedHat Entrprise Linux默认情况下SELinux设置为Enforcing模式。

CentOS, Fedora, Scientific Linux and RedHat Entrprise Linux have SELinux set to "Enforcing" mode by default.

3）setenforce一般做什么的简短说明

3) short explanation of what setenforce does in general

运行 setenforce 0 正在将SELinux切换为Permissive模式。

Running setenforce 0 is switching SELinux to "Permissive" mode.

这修复了这个问题，但如果您的系统暴露在外，这不是一个好主意。 SELinux目标访问策略的想法是通过限制您的公开服务可以做的事情来保护您的系统......例如，如果它们被黑客入侵。你刚刚取消保护。

This "fixes" the problem, but it is not a good idea if your system is exposed. The idea of SELinux targeted access policies is to protect your system by limiting the things that your exposed services can do ... if they get hacked, for example. You have just turned that protection off.

更好的方法是：

• 检查安全/审核日志，


• 确切了解触发AVC警报的内容


• 确定服务实际上是否安全它正在做


• 找出使用 chcon 的临时修复来更改相关的安全上下文或标志。


• 通过添加本地策略覆盖来实现永久修复。

• check the security / audit logs,
• figure out exactly what triggered the AVC alert
• decide if it is actually safe for the service to do what it is doing
• figure out a temporary fix using chcon to change the relevant security context or flags.
• implement a permanent fix by adding a local policy override.

但是你需要一些SELinux技能/知识来解决这个问题。 。

But you need some SELinux skills / knowledge to pull that off.

在这种特殊情况下，另一种（并且明显不那么危险）的快速修复就是运行这个：

In this particular case, an alternative (and significantly less dangerous) "quick fix" would be to run this:

# chcon -t textrel_shlib_t /agent/jre/lib/i386/client/libjvm.so

但请注意，如果您需要执行<$ c $，则使用 chcon 进行的临时安全上下文更改可能会被取消c> restorecon 。

But note that a temporary security context change made using chcon is likely to be undone if you need to do a restorecon.

这篇关于“setenforce 0”的方法和原因是什么？允许Java 7运行？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！