There's been a lot of talk about how to run ColdFusion MX 7 on Ubuntu Linux, but I haven't seen much about running CFMX on Fedora Core 6 Linux. While both are officially unsupported for use with ColdFusion by Adobe, as a hobbyist you might enjoy working with these or other distributions, as I do. Ubuntu is based on source from Debian Linux, while Fedora Core is based on Red Hat source, and in fact Fedora distros are effectively public betas used towards the development of future Red Hat Enterprise Linux releases. According to DistroWatch, Ubuntu is by far the most popular distro out there, for now, while Fedora pulls in at #3.

The problems regarding the installation and configuration of ColdFusion on each distribution are both overlapping and yet distinct, especially where Security Enhanced Linux (SELinux) is involved (Fedora). FC6 intends to make SELinux security policy administration easier via a graphical troubleshooting tool. (While I was able to install and use setroubleshoot, I was not able to get the sealert client GUI to work, but it does have commandline operations that were helpful... somewhat. See below.)

Here I identify and address 5 problems in order to run ColdFusion on FC6, leaving one problem with SELinux unresolved but with a workaround. Some of these problems and their solutions have been blogged about before, but I found new twists to them in FC6.

I decided to address the issues of Fedora Core because Red Hat Enterprise Linux 5 is currently in Beta 2 and is largely based on Fedora, and I hope to be ahead of the curve by the time RHEL5 is released. Since ColdFusion 4.01 in 1998, ColdFusion releases have supported current Red Hat releases.

To begin, here's the distribution and kernel information that I used:

view plain print about
1[root@FC6DELL installers]# uname -a
2Linux FC6DELL 2.6.18-1.2798.fc6 #1 SMP Mon Oct 16 14:54:20 EDT 2006 i686 i686 i386 GNU/Linux
3[root@FC6DELL installers]# cat /etc/redhat-release
4Fedora Core release 6 (Zod)


Problem 1: Error while loading shared libraries: libc.so.6:

The first problem encountered when attempting to install ColdFusion (on this unsupported distribution), was one I've heard a lot about. The error indicates that libc.so.6 cannot be found, and when the package list is queried the missing file is confirmed to be present.

view plain print about
1[root@FC6DELL installers]# ls -l
2total 287228
3-rwxr-xr-x 1 root root 293820234 Nov 6 13:08 coldfusion-macr-linux.bin
4[root@FC6DELL installers]# ./coldfusion-macr-linux.bin
5Preparing to install...
6Extracting the JRE from the installer archive...
7Unpacking the JRE...
8Extracting the installation resources from the installer archive...
9Configuring the installer for this system's environment...
10awk: error while loading shared libraries: libdl.so.2: cannot open shared object file: No such file or directory
11dirname: error while loading shared libraries: libc.so.6: cannot open shared object file: No such file or directory
12/bin/ls: error while loading shared libraries: librt.so.1: cannot open shared object file: No such file or directory
13basename: error while loading shared libraries: libc.so.6: cannot open shared object file: No such file or directory
14dirname: error while loading shared libraries: libc.so.6: cannot open shared object file: No such file or directory
15basename: error while loading shared libraries: libc.so.6: cannot open shared object file: No such file or directory<br/><br/>Launching installer...<br/><br/>grep: error while loading shared libraries: libc.so.6: cannot open shared object file: No such file or directory
16/tmp/install.dir.3348/Linux/resource/jre/bin/java: error while loading shared libraries: libpthread.so.0: cannot open shared object file: No such file or directory


Here I confirm that the 'missing' file is in fact installed:

view plain print about
1[root@FC6DELL installers]# rpm -q --whatprovides libc.so.6
2glibc-2.5-3
3[root@FC6DELL installers]# rpm -q glibc
4glibc-2.5-3


Using a hack first mentioned in July among the comments to one of my blog entries, and later in the comments on Dave Shuck's blog, I was able to install ColdFusion MX 7.02 on FC6.

First, rename the coldfusion bin file:

view plain print about
1[root@FC6DELL installers]# ls -l
2total 287228
3-rwxr-xr-x 1 root root 293820234 Nov 6 13:08 coldfusion-macr-linux.bin
4[root@FC6DELL installers]# mv coldfusion-macr-linux.bin coldfusion-macr-linux.bin.bak
5[root@FC6DELL installers]# ls -l
6total 287228
7-rwxr-xr-x 1 root root 293820234 Nov 6 13:08 coldfusion-macr-linux.bin.bak


Then run a string replace operation on the binary, which comments out the offending line and generates a new binary with the change:

view plain print about
1[root@FC6DELL installers]# cat coldfusion-macr-linux.bin.bak | sed "s/export LD_ASSUME/#xport LD_ASSUME/" > coldfusion-macr-linux.bin
2[root@FC6DELL installers]# ls -l
3total 574456
4-rw-r--r-- 1 root root 293820234 Dec 3 12:23 coldfusion-macr-linux.bin
5-rwxr-xr-x 1 root root 293820234 Nov 6 13:08 coldfusion-macr-linux.bin.bak


Then remove the .bak file copy to avoid confusion:

view plain print about
1[root@FC6DELL installers]# rm coldfusion-macr-linux.bin.bak
2rm: remove regular file `coldfusion-macr-linux.bin.bak'? y
3[root@FC6DELL installers]# chmod u+x coldfusion-macr-linux.bin
4[root@FC6DELL installers]# ls -l
5total 287228
6-rwxr--r-- 1 root root 293820234 Dec 3 12:23 coldfusion-macr-linux.bin


And now try running the binary again, making sure to not configure Apache during installation (and use the built-in webserver for now):

view plain print about
1[root@FC6DELL installers]# ./coldfusion-macr-linux.bin
2Preparing to install...
3Extracting the JRE from the installer archive...
4Unpacking the JRE...
5Extracting the installation resources from the installer archive...
6Configuring the installer for this system's environment...
7awk: cmd. line:6: warning: escape sequence `.' treated as plain `.'<br/><br/>Launching installer...<br/><br/>Preparing CONSOLE Mode Installation...<br/><br/>...<br/><br/>You have successfully completed the first step in installing Macromedia
8ColdFusion MX 7.<br/><br/>To continue with your installation, go to /opt/coldfusionmx7/bin and type
9"./coldfusion start" to start your server.<br/><br/>Once the server is started log in to the Configuration Wizard at
10http://[machinename]:8500/CFIDE/administrator/index.cfm<br/><br/>PRESS <ENTER> TO EXIT THE INSTALLER:
11[root@FC6DELL installers]#


Success! ColdFusion server is now installed.

As mentioned in the comments on Dave Shuck's blog, change some basic ColdFusion scripts which may also have a similar problem. Although I found that the change I made to the original binary propagated to the resultant config scripts, so no additional change was needed:

view plain print about
1[root@FC6DELL installers]# cd /opt/coldfusionmx7/bin
2[root@FC6DELL bin]# cat coldfusion | grep LD_ASSUME_KERNEL
3 LD_ASSUME_KERNEL=2.2.9
4 #xport LD_ASSUME_KERNEL
5[root@FC6DELL bin]# cat cfstat | grep LD_ASSUME_KERNEL
6 LD_ASSUME_KERNEL=2.2.9
7 #xport LD_ASSUME_KERNEL
8[root@FC6DELL bin]# cat cfinfo | grep LD_ASSUME_KERNEL


Except for the uninstall script which would need the sed string replace hack if you decide to run the uninstall script:

view plain print about
1[root@FC6DELL bin]# cat ../uninstall/uninstall | grep LD_ASSUME_KERNEL
2linux_LD_ASSUME_KERNEL_hack=0;
3 linux_LD_ASSUME_KERNEL_hack=1
4# LD_ASSUME_KERNEL for Native POSIX Threading Library on some Linux distros
5 export LD_ASSUME_KERNEL=2.2.5
6 # unset the LD_ASSUME_KERNEL in cause we don't need it
7 unset LD_ASSUME_KERNEL
8 # check our rules for setting LD_ASSUME_KERNEL
9 linux_LD_ASSUME_KERNEL_hack=1
10if [ $linux_LD_ASSUME_KERNEL_hack -eq 1 ]; then
11 LD_ASSUME_KERNEL=2.2.5
12 export LD_ASSUME_KERNEL
13[root@FC6DELL bin]#


Great, ColdFusion is installed, now to start it:

view plain print about
1[root@FC6DELL bin]# ./coldfusion start
2Starting ColdFusion MX 7...
3The ColdFusion MX 7 server is starting up and will be available shortly.
4======================================================================
5ColdFusion MX 7 has been started.
6ColdFusion MX 7 will write logs to /opt/coldfusionmx7/logs/cfserver.log
7======================================================================<br/><br/>[root@FC6DELL bin]# ps -ef | grep cold
8nobody 31404 1 0 13:22 ? 00:00:00 /opt/coldfusionmx7/verity/k2/_ilnx21/bin/k2admin
9nobody 5889 1 0 13:46 ? 00:00:00 /opt/coldfusionmx7/runtime/bin/cfmx7 -jar jrun.jar -autorestart -start coldfusion
10nobody 5890 5889 48 13:46 ? 00:00:18 /opt/coldfusionmx7/runtime/bin/cfmx7 -jar jrun.jar -start coldfusion
11root 5979 2772 0 13:46 pts/1 00:00:00 grep cold
12[root@FC6DELL bin]#


Everything seems in place. ColdFusion is running and listening on port 8500 for web requests.

Problem 2: Graphing Service Not Available

Open the ColdFusion Administrator to complete the second half of the installation process, the Setup Wizard. When browsing the CF Admin for the first time, I was greeted with a familiar problem:

The Graphing Service is not available

and in the cfserver.log I found:

view plain print about
112/05 16:20:03 Error [main] - Unable to initialize Graphing service: java.lang.UnsatisfiedLinkError: /opt/coldfusionmx7/runtime/jre/lib/i386/libawt.so: libXp.so.6: cannot open shared object file: No such file or
2 directory


I attempted the fix reported earlier on my blog for this, which is to install the xorg-x11-deprecated-libs package, but that did not work on FC6 this time. I found that the libXp package for FC6 was available for FC6 on rpmfind.net, so I installed it.

view plain print about
1[root@FC6DELL connectors]# rpm -Uvh /home/steven/libXp-1.0.0-8.i386.rpm
2warning: /home/steven/libXp-1.0.0-8.i386.rpm: Header V3 DSA signature: NOKEY, key ID 4f2a6fd2
3Preparing... ########################################### [100%]
4 1:libXp ########################################### [100%]
5[root@FC6DELL connectors]# service coldfusionmx7 restart


But of course this is Fedora, which now uses yum to install patches, so for demonstration I removed the libXp rpm and used yum to install instead, which is much easier:

view plain print about
1[root@FC6DELL ~]# rpm -e libXp
2[root@FC6DELL ~]# yum install libXp
3...
4 Installing: libXp ######################### [1/1]
5Installed: libXp.i386 0:1.0.0-8
6Complete!


And with this library installed ColdFusion now started properly without the graphing service error and I was able to complete the Setup Wizard in the browser.

Problem 3: Change in /etc/hosts syntax affects connector installation

At this point I wanted to explore configuring Apache 2.2, default on the system and known to not work with the CFMX 7.0x releases, although a hotfix is avialable. Just to see how a unexpecting user might encounter the problem, I attempted to configure Apache as is.

Here's the version info and location of binaries needed to to run the connector script:

view plain print about
1[root@FC6DELL bin]# rpm -q httpd
2httpd-2.2.3-5
3[root@FC6DELL bin]# which httpd
4/usr/sbin/httpd
5[root@FC6DELL bin]# httpd -v
6Server version: Apache/2.2.3
7Server built: Sep 11 2006 09:43:05
8[root@FC6DELL bin]# which apachectl
9/usr/sbin/apachectl


ColdFusion ships with some example scripts which can be modified for commandline installation of the external webserver connector. In the {cf_root}/bin/connectors directory I selected the apache_connector.sh script for modification based on the location of Apache binaries on my system (in /usr/sbin/):

view plain print about
1[root@FC6DELL bin]# cd connectors/
2[root@FC6DELL connectors]# cat apache_connector.sh <br/><br/>#!/bin/sh<br/><br/>#
3# Configure the Apache connector.
4# -dir should be the *directory* which contains httpd.conf
5# -bin should be the path to the apache *executable*
6# -script should be the path to the script which is used to
7# start/stop apache
8#
9../../runtime/bin/wsconfig
10 -server coldfusion
11 -ws apache
12 -dir /etc/httpd/conf
13 -bin /usr/sbin/httpd
14 -script /usr/sbin/apachectl
15 -coldfusion <br/><br/>exit $#


Saving the file and running it, I encountered the following problem which suggests possible causes:

view plain print about
1[root@FC6DELL connectors]# ./apache_connector.sh
2Could not connect to any JRun/ColdFusion servers on host localhost.
3Possible causes:
4o Server not running
5 -Start Macromedia JRun4 or ColdFusion MX server
6o Server running
7 -JNDI listen port in jndi.properties blocked by TCP/IP filtering or firewall
8 on server
9 -host restriction in security.properties blocking communication with server
10[root@FC6DELL connectors]#


I've done this enough times to know that everything should be in place and should be working, so perhaps there is a new problem. I tested with the firewall on and off (I must have installed with pretty liberal iptables rules because connections to ports on localhost were not being blocked, and I confirmed with the command iptables -nvL to show the rules, something I'll tighten up later). I also checked to confirm the server was running and that the JNDI port was being listened to (2920 as defined in SERVER-INF/jndi.properties):

view plain print about
1[root@FC6DELL ~]# netstat -antp | grep "cfmx7"
2tcp 0 0 :::51011    :::*    LISTEN 3971/cfmx7
3tcp 0 0 :::2920    :::*    LISTEN 3971/cfmx7
4tcp 0 0 :::1099    :::*    LISTEN 3971/cfmx7
5tcp 0 0 :::45742    :::*    LISTEN 3971/cfmx7
6tcp 0 0 :::8500    :::*    LISTEN 3971/cfmx7


Knowing that part of the problem with running the wsconfig connector tool might be hostname problems and such, I checked /etc/sysconfig/network, check the output of hostname, and checked the contents of /etc/hosts. In /etc/hosts I found a new syntax which surprised me. Normally it follows the syntax of "{ip} {hostname} {alias}", but this one looked like this:

view plain print about
1[root@FC6DELL connectors]# cat /etc/hosts
2# Do not remove the following line, or various programs
3# that require network functionality will fail.
4::1 FC6DELL localhost.localdomain localhost


I'll look into the new syntax, but for now I changed it back to what I know:

view plain print about
1[root@FC6DELL connectors]# cat /etc/hosts
2# Do not remove the following line, or various programs
3# that require network functionality will fail.
4#::1 FC6DELL localhost.localdomain localhost
5127.0.0.1 FC6DELL localhost


At this point wsconfig was producing the same error as above, so based on past experience I took a guess that ColdFusion had cached the earlier host entry, and then restarted ColdFusion.

view plain print about
1[root@FC6DELL connectors]# service coldfusionmx7 restart
2Restarting ColdFusion MX 7...
3Stopping ColdFusion MX 7, please wait
4Stopping coldfusion server.stopped
5ColdFusion MX 7 has been stopped
6Starting ColdFusion MX 7...
7The ColdFusion MX 7 server is starting up and will be available shortly.


Problem 4: Configuring Apache 2.2

Running the apache_connector.sh script again worked... sort of:

view plain print about
1[root@FC6DELL connectors]# ./apache_connector.sh
2Server version: Apache/2.2.3
3apachectl: Configuration syntax error, will not run "restart":
4httpd: Syntax error on line 872 of /etc/httpd/conf/httpd.conf: Cannot load /opt/coldfusionmx7/runtime/lib/wsconfig/1/mod_jrun20.Error running "/usr/sbin/apachectl restart": exit code was 1
5Error restarting Apache server. The web server must be restarted to complete this operation.
6so into server: /opt/coldfusionmx7/runtime/lib/wsconfig/1/mod_jrun20.so: undefined symbol: ap_run_http_method


The wsconfig tool did its thing and installed the connector, but now Apache wouldn't start because the connector module library was made for Apache 2.0, not 2.2, hence the undefined symbol: ap_run_http_method message returned.

As alluded to earlier, there is a hotfix containing a connector module appropriate for Apache 2.2, so I proceded with hotfix installation.

view plain print about
1[root@FC6DELL lib]# pwd
2/opt/coldfusionmx7/runtime/lib
3[root@FC6DELL lib]# ls -l wsconfig.jar
4-rwxrwxr-x 1 nobody root 2419011 Oct 12 11:49 wsconfig.jar
5[root@FC6DELL lib]# mv wsconfig.jar wsconfig.apache20.jar
6[root@FC6DELL lib]# unzip wsconfig.zip
7Archive: wsconfig.zip
8 inflating: wsconfig.jar
9[root@FC6DELL lib]# ls -l wsconfig.jar
10-rw-rw-rw- 1 root root 2519507 May 18 2006 wsconfig.jar


Then with the new wsconfig.jar, I removed all traces of the bad connector, then ran the connector installation script again...

view plain print about
1[root@FC6DELL connectors]# ./apache_connector.sh
2Server version: Apache/2.2.3
3apachectl: Configuration syntax error, will not run "restart":
4Restarted Apache server
5The Apache connector was installed to /etc/httpd/conf
6Syntax OK


Success, ok, sort of. So the connector got installed again, and the Apache 2.2 problem was solved, but now there's something else causing Apache to not start when configured to load the connector module:

view plain print about
1[root@FC6DELL connectors]# service httpd restart
2Stopping httpd: [ OK ]
3Starting httpd: [FAILED]


Problem 5: SELinux prohibits Apache from loading ColdFusion connector

Having past experience with SELinux and "Permission Denied" problems when the connector module is not in the same security context as the httpd binary, I checked the logs for SELinux messages:

view plain print about
1[root@FC6DELL connectors]# tail /var/log/messages | grep jrun
2Dec 3 18:16:07 FC6DELL kernel: audit(1165360567.583:44): avc: denied { execute } for pid=11436 comm="httpd" name="mod_jrun22.so" dev=hda3 ino=687741 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:usr_t:s0 tclass=file
3Dec 3 18:18:20 FC6DELL kernel: audit(1165360700.363:46): avc: denied { execute } for pid=11488 comm="httpd" name="mod_jrun22.so" dev=hda3 ino=687741 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:usr_t:s0 tclass=file
4[root@FC6DELL connectors]#


The culprit is SELinux, as identified by the avc: denied message regarding httpd. As a quick test, I momentarily turned off SELinux on the fly, tested a httpd restart, then turned it back on for another test:

view plain print about
1[root@FC6DELL connectors]# setenforce 0
2[root@FC6DELL connectors]# service httpd start
3Starting httpd: [ OK ]
4[root@FC6DELL connectors]# service httpd stop
5Stopping httpd: [ OK ]
6[root@FC6DELL connectors]# setenforce 1
7[root@FC6DELL connectors]# service httpd start
8Starting httpd: [FAILED]
9[root@FC6DELL connectors]#


This confirmed that SELinux was blocking Apache from loading the ColdFusion connector module. Following my earlier instructions, I used chcon to change the security context of the connector module to be the same as the httpd binary:

view plain print about
1[root@FC6DELL connectors]# chcon --reference=/usr/sbin/httpd /opt/coldfusionmx7/runtime/lib/wsconfig/1/mod_jrun22.so
2[root@FC6DELL connectors]# ls -lZ /opt/coldfusionmx7/runtime/lib/wsconfig/1/mod_jrun22.so
3-rwxr-xr-x root root system_u:object_r:httpd_exec_t /opt/coldfusionmx7/runtime/lib/wsconfig/1/mod_jrun22.so
4[root@FC6DELL connectors]# ls -lZ /usr/sbin/httpd
5-rwxr-xr-x root root system_u:object_r:httpd_exec_t /usr/sbin/httpd
6[root@FC6DELL connectors]# service httpd start
7Starting httpd: [FAILED]


But what happened? I fully expected this solution to resolve the problem, but no. I continued to get SELinux errors when attempting to start Apache.

Fedora Core 6 has a utility avaiable (but not installed on my system) called setroubleshoot which runs as a daemon and attempts to intercept SELinux messages for clarification. It installs with a utility that can be run in GUI or CLI mode called sealert which is supposed to pop up a balloon to notify the user when an SELinux deny message is logged.

Based on Dan Walsh's blog entry I installed the utility:

view plain print about
1[root@FC6DELL ~]# yum install setroubleshoot
2...
3[root@FC6DELL ~]# service setroubleshoot start
4Starting setroubleshootd: [ OK ]
5[root@FC6DELL ~]# sealert
6could not attach to desktop process


Unfortunately, the sealert utility would not start in GUI mode. Checking the logs again, I found an improved version of the SELinux deny message:

view plain print about
1[root@FC6DELL ~]#
2[root@FC6DELL ~]# service httpd start
3Starting httpd: [FAILED]
4[root@FC6DELL ~]# tail -1 /var/log/messages
5Dec 3 13:08:47 FC6DELL setroubleshoot: SELinux is preventing the /usr/sbin/httpd from using potentially mislabeled files <Unknown> (httpd_t). For complete SELinux messages. run sealert -l 4d2a3d5e-cb8f-4f16-8fc6-c09247d09d25
6[root@FC6DELL ~]#


The error is more intuitive, and recommends a specific command to generated detailed information based on that particular entry:

view plain print about
1[root@FC6DELL ~]# sealert -l 4d2a3d5e-cb8f-4f16-8fc6-c09247d09d25
2Summary
3 SELinux is preventing the /usr/sbin/httpd from using potentially mislabeled
4 files <Unknown> (httpd_t).<br/><br/>Detailed Description
5 SELinux has denied the /usr/sbin/httpd access to potentially mislabeled
6 files <Unknown>. This means that SELinux will not allow http to use these
7 files. Many third party apps install html files in directories that SELinux
8 policy can not predict. These directories have to be labeled with a file
9 context which httpd can accesss.<br/><br/>Allowing Access
10 If you want to change the file context of <Unknown> so that the httpd daemon
11 can access it, you need to execute it using chcon -t
12 httpd_sys_content_t.<Unknown>. You can look at the httpd_selinux man page
13 for additional information.<br/><br/>Additional Information: <br/><br/>Source Context: user_u:system_r:httpd_t
14Target Context: user_u:system_r:httpd_t
15Target Objects: None [ process ]
16Affected RPM Packages: httpd-2.2.3-5 [application]
17Policy RPM: selinux-policy-2.3.18-10
18Selinux Enabled: True
19Policy Type: targeted
20MLS Enabled: True
21Enforcing Mode: Enforcing
22Plugin Name: plugins.httpd_bad_labels
23Host Name: FC6DELL
24Platform: Linux FC6DELL 2.6.18-1.2798.fc6 #1 SMP Mon Oct 16 14:54:20 EDT 2006 i686 i686
25Alert Count: 4
26Line Numbers: <br/><br/>Raw Audit Messages: <br/><br/>avc: denied { execstack } for comm="httpd" egid=0 euid=0 exe="/usr/sbin/httpd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=3574 scontext=user_u:system_r:httpd_t:s0 sgid=0 subj=user_u:system_r:httpd_t:s0 suid=0 tclass=process tcontext=user_u:system_r:httpd_t:s0 tty=(none) uid=0


While having all this information is a big improvement for SELinux administration, I was still baffled especially since the Source Context and the Target Context were identical.

Consulting the man pages for httpd_selinux, I found some hints for how to manually configure specific security contexts on files:

view plain print about
1httpd_selinux(8) httpd Selinux Policy documentation httpd_selinux(8)<br/><br/>NAME
2 httpd_selinux - Security Enhanced Linux Policy for the httpd daemon<br/><br/>DESCRIPTION
3 Security-Enhanced Linux secures the httpd server via flexible mandatory access control.<br/><br/>FILE_CONTEXTS
4 SELinux requires files to have an extended attribute to define the file type. Policy governs the access daemons have to these files. SELinux httpd policy is very flexible allowing
5 users to setup their web services in as secure a method as possible.<br/><br/> The following file contexts types are defined for httpd:
6...
7 httpd_unconfined_script_exec_t
8 - Set cgi scripts with httpd_unconfined_script_exec_t to allow them to run without any SELinux protection. This should only be used for a very complex httpd scripts, after exhausting all other options. It is better to use this script rather than turning off SELinux protection for httpd.


There were many FILE_CONTEXTS listed which I omit here, but the most extreme option is shown, httpd_unconfined_script_exec_t. I decided to try that security context first, knowing that if it worked I could change it to one of the more restrictive options. The httpd_unconfined_script_exec_t option effectly disables SELinux for the executable script. Yes, the connector module is not a web cgi script, but its the least restrictive of all the http security context options, so why not?

view plain print about
1[root@FC6DELL ~]# chcon -t httpd_unconfined_script_exec_t /opt/coldfusionmx7/runtime/lib/wsconfig/1/mod_jrun22.so
2[root@FC6DELL ~]# ls -Z /opt/coldfusionmx7/runtime/lib/wsconfig/1/mod_jrun22.so
3-rwxr-xr-x root root system_u:object_r:httpd_unconfined_script_exec_t /opt/coldfusionmx7/runtime/lib/wsconfig/1/mod_jrun22.so


Drumroll please.... Restart Apache, and....

view plain print about
1[root@FC6DELL ~]# service httpd start
2Starting httpd: [FAILED]
3[root@FC6DELL ~]# tail -1 /var/log/messages
4Dec 3 13:30:12 FC6DELL setroubleshoot: SELinux is preventing the /usr/sbin/httpd from using potentially mislabeled files <Unknown> (httpd_t). For complete SELinux messages. run sealert -l 4d2a3d5e-cb8f-4f16-8fc6-c09247d09d25


Doh!

Still, Apache will not start. For now, until I figure this out, I will have to put SELinux in permissive mode when using Apache for ColdFusion. Again this is done on the fly with setenforce 0, or the /etc/selinux/config file can be modified to put SELinux in permissive mode rather than enforcing mode. Permissive mode prohibits nothing but only logs warnings about what would have been prohibited if it were enforcing. (Do not totally disable SELinux as new files created will not be able to participate in SELinux if it is later re-enabled).

The very purpose of setroubleshoot was to improve SELinux usability because it has been known to be so baffling to sysadmins that they would just turn it off always. But here we are again with a disabled SELinux because all known solutions (known to me at least) fail to resolve the unwanted security conflict.

Red Hat Magazine has had some reviews of Fedora Core 6, and it was mentioned that an upcoming article will contain more information about the supposed ease of SELinux administration.... we'll see about that.

Summary

To summarize this article, the problems required to be resolved for running ColdFusion on Fedora included:

  • Problem 1: Hacking the coldfusion install binary in order to remove the error about libc.so.6
    Solution: Run the string replace command shown above to rewrite the install file
  • Problem 2: Installing the libXp library to resolve the Graphing Service error
    Solution: yum install libXp
  • Problem 3: Adjusting the /etc/hosts syntax to permit wsconfig to run
    Solution: replace "::1" with 127.0.0.1 in /etc/hosts
  • Problem 4: Installing the wsconfig hotfix to get support for Apache 2.2
    Solution: install the wsconfig hotfix for Apache 2.2


Unresolved problems included:

  • Problem 5: Changing the security context on the connector module for httpd to start. Apache cannot be used with ColdFusion unless SELinux is off or until the context change can be made correctly
    Workaround: setenforce 0
  • Using the sealert utility in GUI mode