Hans Omli recently presented the following problem to me:

I've run into an issue installing ColdFusion MX 7 on Red Hat Enterprise Linux 4 Update 2 or Update 3. The same issue doesn't occur on the original release of RHEL 4 or Update 1. The issue is that after restarting, linux pauses at 'Starting coldfusionmx7: ' until you press Enter, after which the boot process continues. Haven't been able to track down a workaround yet...

To be complete, the issue also appears on the original release and Update 1 of RHEL 4 after running up2date to apply available security updates. I think I've narrowed the issue down to the selinux-policy-targeted package. When I get a chance, I plan to diff selinux-policy-targeted-1.17.30-2.88 (RHEL4-U1) and selinux-policy-targeted-1.17.30-2.110 (RHEL4-U2) to figure out what change(s) may be causing the issue.


This was the fourth report I've heard of this problem, and until today I've never been able to reproduce it when using the original RHEL4 release. Hans provided the clue that it only occurred in recent updates to RHEL (or CentOS), so I downloaded CentOS 4.3 which has the updated SELINUX policy, and then installed ColdFusion 7.01 to let the fun begin.

The short answer and solution ...


Replace the use of the su command with the runuser command in the cfmx7search and coldfusionmx7 init scripts.

The long answer ...

The cfmx7search and coldfusionmx7 init scripts default to start in run levels 3-5 on Linux, and both of their scripts contain a su - nobody to change to the runtime user. The init script cfmx7search is scheduled to start before coldfusionmx7, so the problem has been observed mostly in cfmx7search because bootup never gets to coldfusionmx7. The problem is that during system startup when cfmx7search service starts, SELINUX (even in permissive mode) interactively prompts for a reply regarding the user role because cfmx7search script su's to another user. The command /sbin/su will not suppress any prompts that might occur. This causes cfmx7search startup to hang indefinitely while the su command waits for user input. A review of /var/log/messages has an audit trail containing a message like this:

view plain print about
1cfmx7search: Do you want to choose a different one? [n]

This is only part of the interactive prompt, where the full message would be:

view plain print about
1Your default context is user_u:system_r:unconfined_t.
2    Do you want to choose a different one? [n]

If someone is at the console and quickly enters 'n' for both cfmx7search and coldfusionmx7 then both start up normally and the system completes boot. The command /sbin/runuser can be used in place of /sbin/su to suppress interactive prompts. Changing both start scripts to use runuser instead of su resolves the problem and allows the system to boot while starting all ColdFusion related services non-interactively. To resolve the problem, edit the cfmx7search and coldfusionmx7 init scripts. The following demonstrates where to use runuser:

/etc/init.d/cfmx7search:
view plain print about
1Linux)
2 OS=Linux
3 platform=_ilnx21
4 SUCMD="runuser -s /bin/sh $RUNTIME_USER -c"


/etc/init.d/coldfusionmx7:
view plain print about
1Linux)
2 OS=Linux
3 LD_LIBRARY_PATH="$CF_DIR/lib:$CF_DIR/lib/_ilnx21/bin"
4 CFSTART='runuser -s /bin/sh $RUNTIME_USER -c "export PATH=$PATH:$CF_DIR/runtime/bin; export LD_LIBRARY_PATH=$LD_LIBRARY_PATH; cd $CF_DIR/runtime/bin; nohup $CF_DIR/runtime/bin/cfmx7 -jar jrun.jar -autorestart -start coldfusion &"'
5 CFSTOP='runuser -s /bin/sh $RUNTIME_USER -c "env -i; cd $CF_DIR/runtime/bin; $CF_DIR/runtime/bin/cfmx7 -jar jrun.jar stop coldfusion"'