Actually, this looks like 2 bugs in one. If I set TOMCAT_START to "start -security", the first thing that is wrong is that /etc/init.d/tomcat-x.y calls something like: start-stop-daemon --start ...BLABLA... org.apache.catalina.startup.Bootstrap start -security This doesn't work because Bootstrap expects its arguments in reversed order, i.e. this should be called instead: start-stop-daemon --start ...BLABLA... org.apache.catalina.startup.Bootstrap -security start But after fixing this I ran into more problems with permissions. The final solution was to add almost all files under /usr/share/tomcat-x.y to /etc/tomcat-x.y/catalina.policy and set them to full rights. Symlinks must be mentioned separately, otherwise the target libraries don't really get the permissions. My catalina.policy is in the attachment. Reproducible: Always Steps to Reproduce: 1. Edit /etc/conf.d/tomcat-x.y and set TOMCAT_START to "start -security" 2. Restart tomcat Actual Results: http://127.0.0.1:8080/ doesn't load Expected Results: http://127.0.0.1:8080/ should load Portage 2.1.2.2 (default-linux/x86/2006.1, gcc-4.1.1, glibc-2.5-r0, 2.6.18-suspend2-r1 i686) ================================================================= System uname: 2.6.18-suspend2-r1 i686 Intel(R) Pentium(R) 4 CPU 2.66GHz Gentoo Base System release 1.12.9 Timestamp of tree: Mon, 30 Apr 2007 19:00:10 +0000 distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] ccache version 2.4 [enabled] dev-java/java-config: 1.3.7, 2.0.31-r5 dev-lang/python: 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.4-r7 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.61 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.15-r1 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=pentium4 -fforce-addr -fomit-frame-pointer -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/php/apache1-php5/ext-active/ /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/splash /etc/terminfo /etc/texmf/web2c" CXXFLAGS="-O2 -march=pentium4 -fforce-addr -fomit-frame-pointer -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="ccache distlocks metadata-transfer parallel-fetch sandbox sfperms strict userpriv usersandbox" GENTOO_MIRRORS="http://gentoo.ynet.sk/pub/ http://gentoo.inode.at/ ftp://gd.tuwien.ac.at/opsys/linux/gentoo/" LANG="sk_SK.UTF-8" LC_ALL="sk_SK.UTF-8" LINGUAS="sk en en_US en_GB" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="3dnow X a52 aac acl alsa apache2 arts audiofile bash-completion berkdb bitmap-fonts bzip2 cdparanoia cli cracklib crypt ctype cups curl dbus doc dri dts dvd dvdread eds encode esd examples exif fbcon ffmpeg firefox flac foomaticdb fortran ftp gcj gd gdbm gif glut gmp gnome gphoto2 gpm gstreamer gtk hal iconv icq idn imagemagick imlib ipv6 isdnlog java javascript jpeg kde lcms libg++ mad midi mikmod mmx mng motif mozdevelop mozilla mp3 mpeg mysql mysqli ncurses nls nptl nptlonly nsplugin ogg opengl oss pam pcre pdf perl php png ppds pppd python qt3 qt4 quicktime readline reflection samba scanner sdl session slang sndfile speex spell spl sqlite sse sse2 ssl startup-notification svg svga tcltk tcpd tetex theora threads tidy tiff tokenizer truetype truetype-fonts type1-fonts unicode usb v4l vim-syntax vorbis win32codecs wxwindows x86 xcomposite xml xorg xprint xsl xv xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="sk en en_US en_GB" USERLAND="GNU" VIDEO_CARDS="radeon vesa" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Created attachment 117886 [details] working catalina.policy
An initial fixed for this has been committed to tree for both 5.5. and 6.0.x It works for Tomcat, but not the default webapps. Root seemed to work in 6.0.x and might in 5.5. But manager, and host-manager need additional permissions. Patches to files in portage or etc are appreciated. Beyond that format in conf.d file and also in init.d file has changed. So instead of START="start -security" it's not START="-security start" Clever huh :) Leaving bug open till all of Tomcat by default can run with security manager, all webapps.
Reassigning to herd since wltjr has left Gentoo, bug #135927.
For both tomcat 6 & 7 Gentoo didn't patch the catalina.policy file for quite some time now. If with current releases this is still an issue please file a new bug. Thanks for the report.