Support for Red Hat Enterprise Linux 4 is introduced with the release of ColdFusion MX 7.01. This presents a new security challenge to System Administrators configuring ColdFusion MX for Apache since the SELinux functionality is ACTIVE by default starting with RHEL4. SELinux, or Security Enhanced Linux, is a software product developed by the National Security Agency and has become a standard in Red Hat Linux distributions including RHEL and Fedora Core Linux (FC remains unsupported by CFMX). The most notable problem arises when attempting to configure the webserver to run the ColdFusion connector stub. This problem and a recommended solution are described further below, but first I'll quote from two references regarding the nature of SELinux.

Security Enhanced Linux (SELinux) is a project to provide built-in administrative protection for aspects of your Linux system. Instead of relying on users to protect their files or on a specific network program to control access, security measures would be built into the basic file management system and the network access methods.
...
Linux and Unix Systems normally use a discretionary access control (DAC) method for restricting access. In this approach users and the objects they own, such as files, determine permissions. The user has complete discretion over the objects it owns. The weak point in many Linux/Unix systems has been the user administrative accounts. If an attacker managed to gain access to and administrative account they would have complete control over the service the account managed. Access to the root user would give control over the entire system, all its users, and any network services it was running. To counter this weakness the NSA set up a mandatory access control (MAC) structure. Instead of an all-or-nothing set of privileges based on accounts, services and administrative tasks are compartmentalized and separately controlled with policies detailing what can and cannot be done. Access is granted not just because one is an authenticated user, but when specific security criteria are met. Users, applications, process, files, and devices can be given just the access they need to do their job, and nothing more.
Ref: The Complete Reference: Red Hat Enterprise Linux and Fedora Core 4, pp. 335-336

SELinux is a software product that includes several mechanisms that protect against attacks exploiting software vulnerabilities, including attacks on 0-day vulnerabilities. In particular, SELinux implements role-based access control and sandboxing.
...
SELinux works by associating each program or process with a sandbox known as a domain. Each domain is assigned a set of permissions sufficient to enable it to function properly but do nothing else. For instance, a domain is limited in the files it can access and the types of operations it can perform on those files. To enable specification of such permissions, each file is labeled with information called a security context. The definition of a domain spells out what operations it can perform on files having specific security contexts. A domain cannot access files having security contexts other than those for which it is explicitly granted access.
Ref: SELinux - NSA's Open Source Security Enhanced Linux, pp. 12-13


To begin configuring the Apache webserver for ColdFusion, I previously modified the cf_root/bin/connectors/apache_connector.sh example script to match the locations of the httpd and apachectl executables on my system, and I added a -v switch at the end to output verbose information when run. Here I've run the script and the verbose output was generated. Notice the error at the bottom for Exec'ing /usr/sbin/apachectl restart, apachectl: Configuration syntax error, will not run "restart":

[root@RHEL4DEV1 connectors]# pwd
/opt/coldfusionmx7/bin/connectors
[root@RHEL4DEV1 connectors]# ./apache_connector.sh
Found JRun server coldfusion at 127.0.0.1:2920
Red Hat Enterprise Linux ES release 4 (Nahant)
Detected Red Hat Linux release 4
Using Apache binary /usr/sbin/httpd
Server version: Apache/2.0.52
Using Apache control script /usr/sbin/apachectl
Parsing Apache configuration file /etc/httpd/conf/httpd.conf
Exec'ing chmod 777 /opt/coldfusionmx7/runtime/lib/wsconfig/1
Set permission to 777 on /opt/coldfusionmx7/runtime/lib/wsconfig/1
Exec'ing chmod +x /opt/coldfusionmx7/runtime/lib/wsconfig/1/mod_jrun20.so
Set permission to execute on /opt/coldfusionmx7/runtime/lib/wsconfig/1/mod_jrun20.so
Created file /opt/coldfusionmx7/runtime/lib/wsconfig/1/mod_jrun20.so
Wrote file /etc/httpd/conf/httpd.conf
Added JRun configuration to Apache configuration file /etc/httpd/conf/httpd.conf
Created file /opt/coldfusionmx7/runtime/lib/wsconfig/1/README.txt
Wrote file /opt/coldfusionmx7/runtime/lib/wsconfig/wsconfig.properties
Exec'ing /usr/sbin/apachectl restart
apachectl: Configuration syntax error, will not run "restart":
Syntax OK
Restarted Apache server
The Apache connector was installed to /etc/httpd/conf


At the same time, the following SELinux security audit message denied was written to /var/log/messages:

Oct 25 12:09:52 RHEL4DEV1 kernel: audit(1130256592.179:0): avc: denied { execute } for pid=6770
path=/opt/coldfusionmx7/runtime/lib/wsconfig/1/mod_jrun20.so dev=hda5 ino=32857
scontext=root:system_r:httpd_t tcontext=root:object_r:usr_t tclass=file


The apache_connector.sh script should have restarted the Apache process by running the apachectl command but received the security error above. So I manually attempted to restart Apache but failed on another security error message which was output right on the console:

[root@RHEL4DEV1 connectors]# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: Syntax error on line 909 of /etc/httpd/conf/httpd.conf:
Cannot load /opt/coldfusionmx7/runtime/lib/wsconfig/1/mod_jrun20.so into server:
/opt/coldfusionmx7/runtime/lib/wsconfig/1/mod_jrun20.so:
failed to map segment from shared object: Permission denied
[FAILED]


When attempting to restart Apache above, the corresponding security audit entries were made in /var/log/messages:

Oct 25 12:10:15 RHEL4DEV1 httpd: httpd shutdown succeeded
Oct 25 12:10:15 RHEL4DEV1 kernel: audit(1130256615.206:0): avc: denied { execute } for pid=6789 path=/opt/coldfusionmx7/runtime/lib/wsconfig/1/mod_jrun20.so
dev=hda5 ino=32857 scontext=root:system_r:httpd_t tcontext=root:object_r:usr_t tclass=file
Oct 25 12:10:15 RHEL4DEV1 httpd: Syntax error on line 909 of /etc/httpd/conf/httpd.conf:
Oct 25 12:10:15 RHEL4DEV1 httpd: Cannot load /opt/coldfusionmx7/runtime/lib/wsconfig/1/mod_jrun20.so into server: /opt/coldfusionmx7/runtime/lib/wsconfig/1/mod_jrun20.so: failed to map segment from shared object: Permission denied
Oct 25 12:10:15 RHEL4DEV1 httpd: httpd startup failed


Knowing that SELinux was configured to ENFORCING mode on the system, I inspected the security context on the ColdFusion connector module mod_jrun20.so and the httpd binary since the Apache httpd binary will need to load the connector module when starting. If the SELinux security policy has sandboxed httpd to only run files in its security domain, then the mod_jrun20.so module would not be able to be loaded into httpd process unless mod_jrun20.so shared the same security domain.

The system commands ls and ps now have a new switch -Z to show the security context of a file, directory, or process. Using ls -Z [file] I determined that mod_jrun20.so had the security context of root:object_r:usr_t composed of three parts where root is the security id (not the same as system user 'root'), object_r is the security user role, and usr_t is the security domain. Further, Apache's httpd binary had the security context system_u:object_r:httpd_exec_t where the security domain is http_exec_t, and Apache's apachectl binary had a security context system_u:object_r:sbin_t where the security domain is sbin_t .

[root@RHEL4DEV1 connectors]# cd /opt/coldfusionmx7/runtime/lib/wsconfig/
[root@RHEL4DEV1 wsconfig]# ls -l
total 32
drwxrwxrwx 2 root root 4096 Oct 25 12:09 1
-rw-r--r-- 1 root root 1441 Oct 25 12:09 wsconfig.log
-rw-r--r-- 1 root root 198 Oct 25 12:09 wsconfig.properties
[root@RHEL4DEV1 wsconfig]# ls -l 1/
total 92
-rwxr-xr-x 1 root root 75088 Feb 18 2005 mod_jrun20.so
-rw-r--r-- 1 root root 272 Oct 25 12:09 README.txt
[root@RHEL4DEV1 wsconfig]#
[root@RHEL4DEV1 wsconfig]# ls -Z 1/mod_jrun20.so
-rwxr-xr-x root root root:object_r:usr_t 1/mod_jrun20.so
[root@RHEL4DEV1 wsconfig]# which httpd
/usr/sbin/httpd
[root@RHEL4DEV1 wsconfig]# ls -Z /usr/sbin/httpd
-rwxr-xr-x root root system_u:object_r:httpd_exec_t /usr/sbin/httpd
[root@RHEL4DEV1 wsconfig]# ls -Z /usr/sbin/apachectl
-rwxr-xr-x root root system_u:object_r:sbin_t /usr/sbin/apachectl


In order for the Apache httpd binary to load the ColdFusion mod_jrun20.so connector module I would have to change the security domain of the module to be like that of httpd, and this is most easily done with the chcon command where the --reference=[reference file] switch indicates the reference security context to be applied to the target file or directory like so:
chcon --reference=/usr/sbin/httpd
/opt/coldfusionmx7/runtime/lib/wsconfig/1/mod_jrun20.so
.

[root@RHEL4DEV1 wsconfig]# chcon --help
Usage: chcon [OPTION]... CONTEXT FILE...
or: chcon [OPTION]... [-u USER] [-r ROLE] [-l RANGE] [-t TYPE] FILE...
or: chcon [OPTION]... --reference=RFILE FILE...
Change the security context of each FILE to CONTEXT.

-c, --changes like verbose but report only when a change is made
-h, --no-dereference affect symbolic links instead of any referenced file
(available only on systems with lchown system call)
-f, --silent, --quiet suppress most error messages
--reference=RFILE use RFILE's group instead of using a CONTEXT value
-u, --user=USER set user USER in the target security context
-r, --role=ROLE set role ROLE in the target security context
-t, --type=TYPE set type TYPE in the target security context
-l, --range=RANGE set range RANGE in the target security context
-R, --recursive change files and directories recursively
-v, --verbose output a diagnostic for every file processed
--help display this help and exit
--version output version information and exit

[root@RHEL4DEV1 wsconfig]# chcon --reference=/usr/sbin/httpd 1/mod_jrun20.so
[root@RHEL4DEV1 wsconfig]# ls -Z 1/mod_jrun20.so
-rwxr-xr-x root root system_u:object_r:httpd_exec_t 1/mod_jrun20.so
[root@RHEL4DEV1 wsconfig]# service httpd start
Starting httpd: [ OK ]
[root@RHEL4DEV1 wsconfig]#


Notice in the above that the security context of mod_jrun20.so was changed to match the security context of the httpd binary file. SELinux would then permit Apache to start and the httpd process successfully loaded the ColdFusion connector module.

Oct 25 12:13:51 RHEL4DEV1 httpd: httpd startup succeeded