Tomcat runs from the command line, but will not start as a systemd service

Question

I have built an Apache Tomcat 9.0.83 server on Oracle Linux 9 which will not start as a systemd service, but it does work if you run it from the command line.

sudo su - tomcat /u01/tomcat/my_server/bin/startup.sh

The error messages say that it is forbidden from starting the startup.sh shell script in the Tomcat's bin directory. What am I doing wrong?

Here is what I know.

journalctl -xeu my_server_tomcat.service

This shows that it died from the following errors.

systemd[4508]: my_server_tomcat.service: Failed to locate executable /u01/tomcat/my_server/bin/startup.sh: Permission denied

• Subject: Process /u01/tomcat/my_server/bin/startup.sh could not be executed
• The process /u01/tomcat/my_server/bin/startup.sh could not be executed and failed.

Dec 05 10:35:49 myserver.sunyjcc.edu systemd[4508]: my_server_tomcat.service: Failed at step EXEC spawning /u01/tomcat/my_server/bin/startup.sh: Permission denied

• Subject: Process /u01/tomcat/my_server/bin/startup.sh could not be executed
• The process /u01/tomcat/my_server/bin/startup.sh could not be executed and failed.

The startup.sh file exists and is executable

$ ls -lrtZ /u01/tomcat/my_server/bin/startup.sh
-rwxrwxr-x. 1 tomcat tomcat system_u:object_r:default_t:s0 1904 Nov  9 21:57 /u01/tomcat/my_server/bin/startup.sh

I have a Tomcat service on an Oracle Linux 7 server with the same selinux security context, and I have no trouble starting it

/etc/systemd/system/my_server_tomcat.service

[Unit]
Description=PROD my_server (Tomcat 9.0.83)
After=syslog.target network.target

[Service]
User=tomcat
Group=tomcat
Type=forking
Environment=JAVA_HOME=/usr/lib/jvm/jre-1.8.0-openjdk
Environment=CATALINA_PID=/u01/tomcat/my_server/tomcat.pid
Environment=CATALINA_HOME=/u01/tomcat/my_server
Environment=CATALINA_BASE=/u01/tomcat/my_server
ExecStart=/u01/tomcat/my_server/bin/startup.sh
ExecStop=/u01/tomcat/my_server/bin/shutdown.sh
Restart=on-failure

[Install]
WantedBy=multi-user.target

Similar Questions

• Can't get Tomcat 8 started on CentOS 7
• Starting Tomcat 8.5 using systemd on Centos 7
• Permissions for tomcat 8 service file not working

---

Edit

I turned off SELinux with sudo setenforce 0 and the service started, so I know that SELinux is the cause of the problem. After some thrashing, I got the following messages from the audit log and interpreted them with audit2allow.

sudo cat /var/log/audit/audit.log | grep 1702649015.089:80 | audit2allow -lw 

type=AVC msg=audit(1702649015.089:80): avc:  denied  { execute } for  pid=1336 comm="(artup.sh)" name="startup.sh" dev="dm-0" ino=67467631 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=0

    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

And this is the module suggested by audit2allow.

sudo cat /var/log/audit/audit.log | grep 1702649015.089:80 | audit2allow -m my_server | tee junk.dat

module my_server 1.0;

require {
        type root_t;
        type init_t;
        class file execute;
}

#============= init_t ==============
allow init_t root_t:file execute;

I do not understand why it suggests creating a module for this. It seems to me that there should be a simpler solution.

Answer 1

I decided to use audit2allow to create a module that will permit the access. Here's how I made it work.

First, set SELinux to permissive mode.

sudo setenforce 0
sudo systemctl start my_server_tomcat.service

Then reboot the server and let my Tomcat server run for a little while. Pull up a few pages from the Tomcat server to make sure is has exercised a little. When that's done, use audit2allow to create a new module.

sudo audit2allow -al -M my_tomcat # Create a new module definition

The -l option says to only look at things that happened since the last boot. Since the system isn't ready for production, there shouldn't be any unnecessary permissions. You should still look at my_tomcat.te to make sure that there isn't something in it that shouldn't be there. If it's OK, then install it as a module and turn SELinux back on.

sudo semodule -i my_tomcat.pp # Load the new module.
sudo setenforce 1              # Set SELinux back to enforcing mode.

Reboot the server, and it's still running. You will probably have to go back and revise and recompile the policy, but at least we know we can get it running.