{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 聊天终结者 的问题《How and why does “setenforce 0” allow Java 7 to ru》','https://www.manongdao.com/q-1262576.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I've made some changes on a program I'm working on and I've updated Java from Java 6 to Java 7.
I am running the program on a CentOS 5.8 32-bit VM.
Before the Java update it worked fine.
Now the process isn't starting with the error:
[root@CentOS-58-i-0 bin]# ./agent.sh start
Starting Agent.....d. running (23442).
Error: dl failure on line 864
Error: failed /agent/jre/lib/i386/client/libjvm.so,
because /agent/jre/lib/i386/client/libjvm.so:
cannot restore segment prot after reloc: Permission denied
I've checked online and the solution/workaround for this is to run the command:
setenforce 0
and it would work.
Reading the documentation on the setenforce command, I didn't understand what it does and how did it solve the problem.
So my questions are:
- What may cause the error that prevents me from starting my process?
- Why does the
setenforcecommand solve it? - Please give a short explanation of what
setenforcedoes in general.
This problem is caused by SELinux enforcing an access policy which forbids that application changing the memory protection attributes of a memory segment
CentOS, Fedora, Scientific Linux and RedHat Entrprise Linux have SELinux set to "Enforcing" mode by default.
Running
setenforce 0is switching SELinux to "Permissive" mode.This "fixes" the problem, but it is not a good idea if your system is exposed. The idea of SELinux targeted access policies is to protect your system by limiting the things that your exposed services can do ... if they get hacked, for example. You have just turned that protection off.
A better approach is to:
chconto change the relevant security context or flags.But you need some SELinux skills / knowledge to pull that off.
In this particular case, an alternative (and significantly less dangerous) "quick fix" would be to run this:
But note that a temporary security context change made using
chconis likely to be undone if you need to do arestorecon.