Guys,
Found this interesting issue while toying around with latest JDK on different platforms. (JDK now includes JavaFx2.1 as native Java library! though not on Linux yet. Anyways about that later.)
Problem: java won't run!
[root@localhost ~]# /home/abhinay/Apps/jdk1.7.0_04-i586/bin/java -version
Error: dl failure on line 864
Error: failed /home/abhinay/Apps/jdk1.7.0_04-i586/jre/lib/i386/client/libjvm.so, because /home/abhinay/Apps/jdk1.7.0_04-i586/jre/lib/i386/client/libjvm.so: cannot restore segment prot after reloc: Permission denied
Cause: The java library libjvm.so is attempting text relocation which is a security concern and SELinux will deny the permission to do this.
Simplest explanation:
“A relocation is an operation that rewrites an address in a loaded segment. Such an address rewrite can happen when a segment has references to a shared object and that shared object is loaded in memory. In this case, the references are substituted with the real address values. Similar events can occur inside the shared object itself. A text relocation is a relocation in the text segment. Since text segments contain executable code, system administrators might prefer not to have these segments writable. This is perfectly possible, but since text relocations actually write in the text segment, it is not always feasible.” http://www.gentoo.org/proj/en/hardened/pax-utils.xml
A few more better ones:
"A text relocation is the result of a reference to an object with a variable address at runtime using an absolute addressing mode. The instruction encoding itself contains the address and therefore the executable text of the binary must be changed to contain the correct address when taking the actual load addresses at runtime into account.
The result of a text relocation is that the binary text is written to. This means this page of the binary cannot be physically shared with other processes on the system (this is the goal of DSOs, aka shared libraries). It also means that the binary must have permission to change the access permissions for the memory page to include writing and then back to executing. This is a privileged operation when SELinux is enabled." http://www.akkadia.org/drepper/textrelocs.html
"When code is not position-independent, the binaries must be fixed up at runtime so that the absolute address references are correct after loading. This requires rewriting the the code in memory, takes some time, prevents the memory occupied by the executable from being shared and interferes with selinux protections."
http://fedoraproject.org/wiki/User:Tibbs/Text_Relocation_Guidelines
Workaround: Allow libjvm.so to text relocate by running change context.
[root@localhost ~]# chcon -t textrel_shlib_t /home/abhinay/Apps/jdk1.7.0_04-i586/jre/lib/i386/client/libjvm.so
Wonder why Oracle is putting non-PIC in Java!
