On Thu, Dec 21, 2017 at 2:45 PM, Alceu R. de Freitas Jr. <glasswal...@yahoo.com.br.invalid> wrote: > Hello Cristopher, > I never saw something like that too. I also search on Google, all occurrences > happened with people trying to run Tomcat on privileged ports (<1024). > Here is a quick test, with port 9090: > > [root@localhost ~]# systemctl stop tomcat > [root@localhost ~]# rm -f /var/log/tomcat/* > [root@localhost ~]# vi /etc/tomcat/server.xml > [root@localhost ~]# grep -A 2 'Connector port="9090"' /etc/tomcat/server.xml > <Connector port="9090" protocol="HTTP/1.1" > connectionTimeout="20000" > redirectPort="8443" /> > [root@localhost ~]# systemctl start tomcat > [root@localhost ~]# systemctl status tomcat > ● tomcat.service - Apache Tomcat Web Application Container > Loaded: loaded (/usr/lib/systemd/system/tomcat.service; disabled; vendor > preset: disabled) > Active: active (running) since Qui 2017-12-21 17:39:57 -02; 6s ago > Main PID: 4385 (java) > CGroup: /system.slice/tomcat.service > └─4385 /usr/lib/jvm/jre/bin/java -classpath > /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-da... > > Dez 21 17:40:03 localhost.localdomain server[4385]: dez 21, 2017 5:40:03 PM > org.apache.catalina.startup.HostConfig deployDirectory > Dez 21 17:40:03 localhost.localdomain server[4385]: INFORMAÇÕES: Deployment > of web application directory /var/lib/tomcat/webapps/manager has finish… in > 498 ms > Dez 21 17:40:03 localhost.localdomain server[4385]: dez 21, 2017 5:40:03 PM > org.apache.catalina.startup.HostConfig deployDirectory > Dez 21 17:40:03 localhost.localdomain server[4385]: INFORMAÇÕES: Deploying > web application directory /var/lib/tomcat/webapps/ROOT > Dez 21 17:40:03 localhost.localdomain server[4385]: dez 21, 2017 5:40:03 PM > org.apache.catalina.startup.TldConfig execute > Dez 21 17:40:03 localhost.localdomain server[4385]: INFORMAÇÕES: At least one > JAR was scanned for TLDs yet contained no TLDs. Enable debug logging …tion > time. > Dez 21 17:40:03 localhost.localdomain server[4385]: dez 21, 2017 5:40:03 PM > org.apache.catalina.startup.HostConfig deployDirectory > Dez 21 17:40:03 localhost.localdomain server[4385]: INFORMAÇÕES: Deployment > of web application directory /var/lib/tomcat/webapps/ROOT has finished in 534 > ms > Dez 21 17:40:03 localhost.localdomain server[4385]: dez 21, 2017 5:40:03 PM > org.apache.catalina.startup.HostConfig deployDirectory > Dez 21 17:40:03 localhost.localdomain server[4385]: INFORMAÇÕES: Deploying > web application directory /var/lib/tomcat/webapps/examples > Hint: Some lines were ellipsized, use -l to show in full. > [root@localhost ~]# less /var/log/tomcat/catalina.2017-12-21.log > GRAVE: Failed to initialize end point associated with ProtocolHandler > ["http-bio-9090"] > java.net.BindException: Permissão negada (Bind failed) <null>:9090 > at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:413) > at > org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:715) > at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:452) > at > org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119) > at > org.apache.catalina.connector.Connector.initInternal(Connector.java:978) > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) > at > org.apache.catalina.core.StandardService.initInternal(StandardService.java:560) > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) > at > org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:840) > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) > at org.apache.catalina.startup.Catalina.load(Catalina.java:642) > at org.apache.catalina.startup.Catalina.load(Catalina.java:667) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:253) > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:427) > Caused by: java.net.BindException: Permissão negada (Bind failed) > at java.net.PlainSocketImpl.socketBind(Native Method) > at > java.net.AbstractPlainSocketImpl.bind(AbstractPlainSocketImpl.java:387) > at java.net.ServerSocket.bind(ServerSocket.java:375) > at java.net.ServerSocket.<init>(ServerSocket.java:237) > at java.net.ServerSocket.<init>(ServerSocket.java:181) > at > org.apache.tomcat.util.net.DefaultServerSocketFactory.createSocket(DefaultServerSocketFactory.java:49) > at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:400) > ... 17 more > dez 21, 2017 5:40:00 PM org.apache.catalina.core.StandardService initInternal > GRAVE: Failed to initialize connector [Connector[HTTP/1.1-9090]] > org.apache.catalina.LifecycleException: Failed to initialize component > [Connector[HTTP/1.1-9090]] > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) > at > org.apache.catalina.core.StandardService.initInternal(StandardService.java:560) > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) > at > org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:840) > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) > at org.apache.catalina.startup.Catalina.load(Catalina.java:642) > at org.apache.catalina.startup.Catalina.load(Catalina.java:667) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:253) > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:427) > Caused by: org.apache.catalina.LifecycleException: Protocol handler > initialization failed > at > org.apache.catalina.connector.Connector.initInternal(Connector.java:980) > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) > ... 12 more > Caused by: java.net.BindException: Permissão negada (Bind failed) <null>:9090 > at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:413) > at > org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:715) > at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:452) > at > org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119) > at > org.apache.catalina.connector.Connector.initInternal(Connector.java:978) > ... 13 more > Caused by: java.net.BindException: Permissão negada (Bind failed) > at java.net.PlainSocketImpl.socketBind(Native Method) > at > java.net.AbstractPlainSocketImpl.bind(AbstractPlainSocketImpl.java:387) > at java.net.ServerSocket.bind(ServerSocket.java:375)
This behavior is due to a fix in the selinux-policy package; see https://bugzilla.redhat.com/show_bug.cgi?id=1432083 for more details. If you check /var/log/audit/audit.log you'll see an AVC denial, such as: type=AVC msg=audit(1513815897.006:136): avc: denied { name_bind } for pid=1467 comm="java" src=8090 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket ... Previous version tomcat were incorrectly labeled unconfined_t and could do whatever they wanted, that has been address and now tomcat is confined by selinux as it should be :) You can fix the problem by adding the port you want to allow to the system's HTTP port type, http_port_t: `semanage port --add -t http_port_t -p tcp 8090` Cheers, > [root@localhost ~]# ps aux | grep -i tomcat > tomcat 4385 3.4 10.8 2306540 110448 ? Ssl 17:39 0:09 > /usr/lib/jvm/jre/bin/java -classpath > /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar > -Dcatalina.base=/usr/share/tomcat -Dcatalina.home=/usr/share/tomcat > -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat/temp > -Djava.util.logging.config.file=/usr/share/tomcat/conf/logging.properties > -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager > org.apache.catalina.startup.Bootstrap start > root 4438 0.0 0.0 112680 988 pts/0 R+ 17:44 0:00 grep > --color=auto -i tomcat > > > Em quinta-feira, 21 de dezembro de 2017 17:34:39 BRST, Christopher Schultz > <ch...@christopherschultz.net> escreveu: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > I've never seem "BindException: permission denied" when the port > number is above 1024. Are you sure it's the connector port (e.g. 8090) > it's complaining about? > > When you try your "other applications" test, are you sure you are > running as the same effective user as the Tomcat process? > > - -chris > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org