How to Fix SELinux Blocking Tomcat’s startup.sh Execution on CentOS (203/EXEC Error)


2 views 



When running systemctl start tomcat.service on CentOS, you might encounter:


Failed to start Apache ExecStart=/opt/tomcat/bin/startup.sh (code=exited, status=203/EXEC)



The journalctl logs reveal the root cause:


SELinux is preventing (startup.sh) from execute access on the file startup.sh





First, verify the current SELinux context of your Tomcat files:

ls -Z /opt/tomcat/bin/startup.sh
# Output example: unconfined_u:object_r:usr_t:s0


Compare this with working system executables:


ls -Z /usr/sbin/nginx
# Typically shows: system_u:object_r:bin_t:s0


Temporary workaround (not recommended for production):


setenforce 0


Proper context correction:


semanage fcontext -a -t bin_t "/opt/tomcat/bin/startup.sh"
restorecon -v /opt/tomcat/bin/startup.sh
chmod +x /opt/tomcat/bin/startup.sh


After applying changes:


systemctl daemon-reload
systemctl start tomcat
journalctl -xe | grep tomcat


You should now see proper execution without SELinux denials.


For complex environments, create a custom policy:


grep tomcat /var/log/audit/audit.log | audit2allow -M mytomcat
semodule -i mytomcat.pp


Check installed modules:


semodule -l | grep tomcat




When trying to start Tomcat on CentOS using:


systemctl start tomcat.service


You encounter the error:


Failed to start Apache ExecStart=/opt/tomcat/bin/startup.sh (code=exited, status=203/EXEC)


The journalctl logs reveal the root cause:


SELinux is preventing (startup.sh) from execute access on the file startup.sh


First, check the current SELinux context of your Tomcat files:


ls -Z /opt/tomcat/bin/startup.sh


You might see output like:


-rwxr-xr-x. root root unconfined_u:object_r:usr_t:s0 /opt/tomcat/bin/startup.sh


For quick testing, you can set SELinux to permissive mode:


setenforce 0


Then try starting Tomcat again. Remember this is temporary and not recommended for production.


The proper fix is to set the correct context for Tomcat files:


semanage fcontext -a -t tomcat_exec_t "/opt/tomcat/bin/.*\.sh"
restorecon -Rv /opt/tomcat/bin/


If the above doesn't work, create a custom policy:


grep tomcat /var/log/audit/audit.log | audit2allow -M mytomcat
semodule -i mytomcat.pp


After applying changes, verify the context:


ls -Z /opt/tomcat/bin/startup.sh


Should now show:


-rwxr-xr-x. root root system_u:object_r:tomcat_exec_t:s0 /opt/tomcat/bin/startup.sh


Ensure your tomcat.service file has correct permissions:


[Unit]
Description=Apache Tomcat
After=syslog.target network.target

[Service]
Type=forking
User=tomcat
Group=tomcat
Environment=CATALINA_PID=/opt/tomcat/temp/tomcat.pid
Environment=CATALINA_HOME=/opt/tomcat
Environment=CATALINA_BASE=/opt/tomcat
ExecStart=/opt/tomcat/bin/startup.sh
ExecStop=/opt/tomcat/bin/shutdown.sh

[Install]
WantedBy=multi-user.target