I have built an Apache Tomcat 9.0.83 server on Oracle Linux 9 which will not start as a systemd
service, but it does work if you run it from the command line.
sudo su - tomcat /u01/tomcat/my_server/bin/startup.sh
The error messages say that it is forbidden from starting the startup.sh
shell script in the Tomcat's bin
directory.
What am I doing wrong?
Here is what I know.
journalctl -xeu my_server_tomcat.service
This shows that it died from the following errors.
systemd[4508]: my_server_tomcat.service: Failed to locate executable /u01/tomcat/my_server/bin/startup.sh: Permission denied
- Subject: Process /u01/tomcat/my_server/bin/startup.sh could not be executed
- The process /u01/tomcat/my_server/bin/startup.sh could not be executed and failed.
Dec 05 10:35:49 myserver.sunyjcc.edu systemd[4508]: my_server_tomcat.service: Failed at step EXEC spawning /u01/tomcat/my_server/bin/startup.sh: Permission denied
- Subject: Process /u01/tomcat/my_server/bin/startup.sh could not be executed
- The process /u01/tomcat/my_server/bin/startup.sh could not be executed and failed.
The startup.sh file exists and is executable
$ ls -lrtZ /u01/tomcat/my_server/bin/startup.sh
-rwxrwxr-x. 1 tomcat tomcat system_u:object_r:default_t:s0 1904 Nov 9 21:57 /u01/tomcat/my_server/bin/startup.sh
I have a Tomcat service on an Oracle Linux 7 server with the same selinux security context, and I have no trouble starting it
/etc/systemd/system/my_server_tomcat.service
[Unit]
Description=PROD my_server (Tomcat 9.0.83)
After=syslog.target network.target
[Service]
User=tomcat
Group=tomcat
Type=forking
Environment=JAVA_HOME=/usr/lib/jvm/jre-1.8.0-openjdk
Environment=CATALINA_PID=/u01/tomcat/my_server/tomcat.pid
Environment=CATALINA_HOME=/u01/tomcat/my_server
Environment=CATALINA_BASE=/u01/tomcat/my_server
ExecStart=/u01/tomcat/my_server/bin/startup.sh
ExecStop=/u01/tomcat/my_server/bin/shutdown.sh
Restart=on-failure
[Install]
WantedBy=multi-user.target
Similar Questions
- Can't get Tomcat 8 started on CentOS 7
- Starting Tomcat 8.5 using systemd on Centos 7
- Permissions for tomcat 8 service file not working
Edit
I turned off SELinux with sudo setenforce 0
and the service started, so I know that SELinux is the cause of the problem. After some thrashing, I got the following messages from the audit log and interpreted them with audit2allow
.
sudo cat /var/log/audit/audit.log | grep 1702649015.089:80 | audit2allow -lw
type=AVC msg=audit(1702649015.089:80): avc: denied { execute } for pid=1336 comm="(artup.sh)" name="startup.sh" dev="dm-0" ino=67467631 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
And this is the module suggested by audit2allow
.
sudo cat /var/log/audit/audit.log | grep 1702649015.089:80 | audit2allow -m my_server | tee junk.dat
module my_server 1.0;
require {
type root_t;
type init_t;
class file execute;
}
#============= init_t ==============
allow init_t root_t:file execute;
I do not understand why it suggests creating a module for this. It seems to me that there should be a simpler solution.