-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Coty,
On 12/21/17 3:49 PM, Coty Sutherland wrote: > On Thu, Dec 21, 2017 at 2:45 PM, Alceu R. de Freitas Jr. > <glasswal...@yahoo.com.br.invalid> wrote: >> Hello Cristopher, I never saw something like that too. I also >> search on Google, all occurrences happened with people trying to >> run Tomcat on privileged ports (<1024). Here is a quick test, >> with port 9090: >> >> [root@localhost ~]# systemctl stop tomcat [root@localhost ~]# rm >> -f /var/log/tomcat/* [root@localhost ~]# vi >> /etc/tomcat/server.xml [root@localhost ~]# grep -A 2 'Connector >> port="9090"' /etc/tomcat/server.xml <Connector port="9090" >> protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" >> /> [root@localhost ~]# systemctl start tomcat [root@localhost ~]# >> systemctl status tomcat ● tomcat.service - Apache Tomcat Web >> Application Container Loaded: loaded >> (/usr/lib/systemd/system/tomcat.service; disabled; vendor preset: >> disabled) Active: active (running) since Qui 2017-12-21 17:39:57 >> -02; 6s ago Main PID: 4385 (java) CGroup: >> /system.slice/tomcat.service └─4385 /usr/lib/jvm/jre/bin/java >> -classpath >> /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli .jar:/usr/share/java/commons-da... >> >> >> Dez 21 17:40:03 localhost.localdomain server[4385]: dez 21, 2017 5:40:03 PM org.apache.catalina.startup.HostConfig deployDirectory >> Dez 21 17:40:03 localhost.localdomain server[4385]: INFORMAÇÕES: >> Deployment of web application directory >> /var/lib/tomcat/webapps/manager has finish… in 498 ms Dez 21 >> 17:40:03 localhost.localdomain server[4385]: dez 21, 2017 5:40:03 >> PM org.apache.catalina.startup.HostConfig deployDirectory Dez 21 >> 17:40:03 localhost.localdomain server[4385]: INFORMAÇÕES: >> Deploying web application directory /var/lib/tomcat/webapps/ROOT >> Dez 21 17:40:03 localhost.localdomain server[4385]: dez 21, 2017 >> 5:40:03 PM org.apache.catalina.startup.TldConfig execute Dez 21 >> 17:40:03 localhost.localdomain server[4385]: INFORMAÇÕES: At >> least one JAR was scanned for TLDs yet contained no TLDs. Enable >> debug logging …tion time. Dez 21 17:40:03 localhost.localdomain >> server[4385]: dez 21, 2017 5:40:03 PM >> org.apache.catalina.startup.HostConfig deployDirectory Dez 21 >> 17:40:03 localhost.localdomain server[4385]: INFORMAÇÕES: >> Deployment of web application directory >> /var/lib/tomcat/webapps/ROOT has finished in 534 ms Dez 21 >> 17:40:03 localhost.localdomain server[4385]: dez 21, 2017 5:40:03 >> PM org.apache.catalina.startup.HostConfig deployDirectory Dez 21 >> 17:40:03 localhost.localdomain server[4385]: INFORMAÇÕES: >> Deploying web application directory >> /var/lib/tomcat/webapps/examples Hint: Some lines were >> ellipsized, use -l to show in full. [root@localhost ~]# less >> /var/log/tomcat/catalina.2017-12-21.log GRAVE: Failed to >> initialize end point associated with ProtocolHandler >> ["http-bio-9090"] java.net.BindException: Permissão negada (Bind >> failed) <null>:9090 at >> org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:413) >> >> at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:7 15) >> at >> org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:452) >> >> at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11J sseProtocol.java:119) >> at >> org.apache.catalina.connector.Connector.initInternal(Connector.java:9 78) >> >> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) >> at >> org.apache.catalina.core.StandardService.initInternal(StandardService .java:560) >> >> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) >> at >> org.apache.catalina.core.StandardServer.initInternal(StandardServer.j ava:840) >> >> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) >> at org.apache.catalina.startup.Catalina.load(Catalina.java:642) >> at org.apache.catalina.startup.Catalina.load(Catalina.java:667) >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at >> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl. java:62) >> >> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor Impl.java:43) >> at java.lang.reflect.Method.invoke(Method.java:498) at >> org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:253) at >> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:427) >> Caused by: java.net.BindException: Permissão negada (Bind >> failed) at java.net.PlainSocketImpl.socketBind(Native Method) at >> java.net.AbstractPlainSocketImpl.bind(AbstractPlainSocketImpl.java:38 7) >> >> at java.net.ServerSocket.bind(ServerSocket.java:375) >> at java.net.ServerSocket.<init>(ServerSocket.java:237) at >> java.net.ServerSocket.<init>(ServerSocket.java:181) at >> org.apache.tomcat.util.net.DefaultServerSocketFactory.createSocket(De faultServerSocketFactory.java:49) >> >> at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:400) >> ... 17 more dez 21, 2017 5:40:00 PM >> org.apache.catalina.core.StandardService initInternal GRAVE: >> Failed to initialize connector [Connector[HTTP/1.1-9090]] >> org.apache.catalina.LifecycleException: Failed to initialize >> component [Connector[HTTP/1.1-9090]] at >> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) >> >> at org.apache.catalina.core.StandardService.initInternal(StandardService.ja va:560) >> at >> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) >> >> at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java :840) >> at >> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) >> >> at org.apache.catalina.startup.Catalina.load(Catalina.java:642) >> at org.apache.catalina.startup.Catalina.load(Catalina.java:667) >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at >> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl. java:62) >> >> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor Impl.java:43) >> at java.lang.reflect.Method.invoke(Method.java:498) at >> org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:253) at >> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:427) >> Caused by: org.apache.catalina.LifecycleException: Protocol >> handler initialization failed at >> org.apache.catalina.connector.Connector.initInternal(Connector.java:9 80) >> >> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) >> ... 12 more Caused by: java.net.BindException: Permissão negada >> (Bind failed) <null>:9090 at >> org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:413) >> >> at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:7 15) >> at >> org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:452) >> >> at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11J sseProtocol.java:119) >> at >> org.apache.catalina.connector.Connector.initInternal(Connector.java:9 78) >> >> ... 13 more >> Caused by: java.net.BindException: Permissão negada (Bind >> failed) at java.net.PlainSocketImpl.socketBind(Native Method) at >> java.net.AbstractPlainSocketImpl.bind(AbstractPlainSocketImpl.java:38 7) >> >> at java.net.ServerSocket.bind(ServerSocket.java:375) > > This behavior is due to a fix in the selinux-policy package; see > https://bugzilla.redhat.com/show_bug.cgi?id=1432083 for more > details. If you check /var/log/audit/audit.log you'll see an AVC > denial, such as: > > type=AVC msg=audit(1513815897.006:136): avc: denied { name_bind } > for pid=1467 comm="java" src=8090 > scontext=system_u:system_r:tomcat_t:s0 > tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket > ... > > Previous version tomcat were incorrectly labeled unconfined_t and > could do whatever they wanted, that has been address and now tomcat > is confined by selinux as it should be :) > > You can fix the problem by adding the port you want to allow to > the system's HTTP port type, http_port_t: `semanage port --add -t > http_port_t -p tcp 8090` This is exactly like what I was expecting to be the solution, here. OP didn't mention SELinux, but I was thinking that this looked a lot like what might happen if authbind wasn't configured properly... but for non-privileged ports. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlo9R7MdHGNocmlzQGNo cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFgmohAAkiiqrYIw/tzqQj5B wf39JCOpzD3tOqgynByBbQKWsEhilHssdSlsLRoQ5C20f1Q7vySlpLwMvdK+bfXb +5bgP8ViSdI89fyDOm8h79NIoYuvOasrbZ99r6+WbQFGuunozeGP6mFxCZIyaoPo BwukmQSCQow37tmJ8qSbGYDiHCmdhW6T6hNCHvcnNJq4gVqqTAQpWJlU1g9BdGCD iukYU5e/PIopU2ELRXNk1r88xVorE2SyD8u7uEeFcFZN0Boar3nkfdoQ4Za44Xhp 0+FtdvQo9Y0zVOMnJSvs+0hPvvkLQRoP4YV4VQz3zLnFXTuzgkgxpKzP9h9npCWk CVcwwycQhdV2l4AhhecCt1b87E2kAgHqRkY88VDADq69LZIn8IDn7hP8KewiDErX qoTjEQAV+dLY3Wq65bTGvGsjc928MLexRR7gN+SJYMvRc4ygMxLQOGFNOe7ccCzL PyJlXz3ouVwUvp+4iu6POSQOqrAK4LNPHZIJ3wM5DEB/7FQDReGZte6FrCEzL7a9 jQwtl6kv4v7xI3Oo32vxpjNdsDc6v6CpIjY6KljVGD/5CppFTB5VzrNgufnIHrVu 7xSAYH17tF7MfedRoHT0A82lyonRtFzm0dJZFygJTi0pqSjmkYycvu1pBZWRF8ar mXXCjyJypLVgoAXJejYRnrp+FtU= =Zs/4 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
