Orange is my favorite color

Huzzah! It is possible. I have CFMX7 running under CentOS-5 (RHEL-5) with SELinux enforcing. I imagine this will also work to correct CFMX8.

The Problems

  1. The mod_jrun20.so and mod_jrun22.so provided by Adobe is broken in many ways. You can see my original post on recompiling the connector to support mod_deflate but it’s just not compiled right for a modern Linux system
  2. The connector provided has unnecessary Stack Exec privileges that break SELinux compatibility
  3. Fixing the connector leads to other problems, most notably leading to 500 Internal Server Errors when trying to access any CFM page

This was manifesting itself in Apache not starting via the /etc/init.d/httpd script. It would always say “FAILED” but no error messages in the logs. I found by adding “-E ~/startup.log” to the /usr/sbin/apachectl start() routine that I could see what was happening and it was mod_jrun22.so blowing up. Time to debug!

Steps to Fix your Install

These steps required serious SELinux debugging and much Googling. But now they’re all in one place. You lucky dog. Back in my day, we had to use Google uphill both ways on 2400 baud modems for these kinds of answers!

First, Recompile the Connector

Download the Apache 2.2 connector from Adobe. This is for my CFMX7 multi-server connector with CentOS-5 on Apache 2.2.

You will need httpd-devel installed. Check with “rpm -qa | grep httpd-devel” or look for /usr/sbin/apxs. If you don’t have it, install it with “yum install httpd-devel”. This will give you apxs. I am running a multi-server configuration; for standalone, substitute the paths to your wsconfig dir. Recompile your connector for starters (based on these directions):

# /usr/sbin/apxs -c -Wc,-w -n jrun \
-S LIBEXECDIR=/opt/jrun4/lib/wsconfig/1/ \
mod_jrun22.c jrun_maptable_impl.c jrun_property.c jrun_session.c \
platform.c jrun_utils.c jrun_mutex.c jrun_proxy.c jrun_ssl.c
# /usr/sbin/apxs -i -n jrun \
-S LIBEXECDIR=/opt/jrun4/lib/wsconfig/1/ \
mod_jrun22.la
# strip /opt/jrun4/lib/wsconfig/1/mod_jrun22.so

Now check the binary created by your recompile and note that it doesn’t need exec-stack (RW, instead of RWE or RWX):

readelf -l /opt/jrun4/lib/wsconfig/1/mod_jrun22.so| grep STACK
GNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RW 0x4

Fix SELinux Context on Connector

At this point, Apache won’t even start because the SELinux context isn’t set properly so it can’t load mod_jrun22.so. If you’re using default Apache package, the user is “apache”. Set the context so that Apache can access the connector we just created:

chown -R apache /opt/jrun4/lib/wsconfig/1
chcon system_u:object_r:httpd_exec_t /opt/jrun4/lib/wsconfig/1/*

Allow HTTPD to talk to JRun over a Localhost Port

Now Apache will start, but it can’t connect to Jrun on the localhost port resulting in a “13 Permission denied” error in the Apache error log:

[Thu Dec 06 15:50:18 2007] [notice] jrApache[3846: 57273] 127.0.0.1:51020 connect failed: 13 13 Permission denied

Damn! Well it turns out this happens to others and they’ve got solutions that solve the problem (sourced from a Bugzilla bug). Here’s what we need:

# the -P makes this permanent across reboots
/usr/sbin/setsebool -P httpd_can_network_connect=1

Start it Up!

Ok, start Apache:

/usr/sbin/apachectl start

You should be able to load up the Administrator or any other CF page at this point meaning you’ve got the security (and pain in the ass…) of SELinux combined with the power of ColdFusion. No compromises!

Adobe doesn’t provide startup scripts for ColdFusion multi-server. While Steven Erat has some, they didn’t work for me on CentOS 5. This is the startup command I’m using in a modified init.d script where INSTANCE is the name of the Jrun instance you want to start (the default is “cfusion”):

/sbin/runuser apache -c "/opt/jrun4/bin/jrun -nohup -start $INSTANCE 2>&1 >> /opt/jrun4/logs/cfserver-$INSTANCE.log &"

Resources

Here are some error messages I received along the way to assist in people finding this via search:

type=AVC msg=audit(1196968117.158:18): avc: denied { execstack } for pid=1660 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process

type=AVC msg=audit(1196982778.351:141): avc: denied { name_connect } for pid=2174 comm="httpd" dest=51020 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

[Thu Dec 06 15:50:24 2007] [notice] jrApache[3847: 57529] 127.0.0.1:51020 connect failed: 13 13 Permission denied
[Thu Dec 06 15:50:24 2007] [notice] jrApache[3847: 57529] Couldn't initialize from remote server, JRun server(s) probably down.
[Thu Dec 06 15:50:24 2007] [notice] jrApache[3847: 57529] JRun will not accept request. Check JRun web server configuration and JRun mappings on JRun server.

1 Comment

  1. brian said:

    on December 22, 2007 at 4:08 pm

    In setting up a new server, I realized that in addition to the libXp library you need installed (per Bill Mitchell’s instructions) you also need libXtst. This is my “legacy” install command:

    yum install compat-libstdc++-296 compat-libstdc++-33 libXp libXtst

{ RSS feed for comments on this post}