When configuring ColdFusion MX for the Apache webserver on Fedora Core 3 Linux (FC3), you might find "Permission Denied" errors during several events, including when you try to start Apache.

This is because SELinux (Security Enhanced Linux) in FC3 is enabled, a default setting. During FC3 installation you have the option to configure SELinux as

  • Active
  • Warning
  • Disabled

To confirm the configuration of SELinux on your system, read the configuration file /etc/selinux/config

[root@Aneto bin]# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=enforcing
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted


If you were surprised to find "Permission Denied" errors, then you probably weren't aware that SELinux was enabled on your system. While I am a mere SELinux novice, even pre-novice at that, I cannot advise you how to tune your SELinux security policy so that Apache can load and run the ColdFusion connector module while still in enforcing mode.

To correct this though, you probably want to disable SELinux, or at least change it from enforcing mode to permissive mode. In permissive mode you will receive only warnings rather than errors. To change to permissive mode, edit /etc/selinux/config to change SELINUX=enforcing to SELINUX=permissive or SELINUX=disabled, and be careful to not add any extra whitespace. Then you should restart your system to make this take effect (init 6).

An alternative means to disable SELinux is to edit the kernel parameters at boot using the Grub interface. On the Grub menu highlight the OS/kernel you wish to boot, press the letter e, on the next screen select the kernel and kernel parameters line and press the letter e again, and finally type enforcing=0 to the end of the kernel options list. While still on the same line, press enter to finish editing the press b to boot the kernel with the updated options. This will turn off enforcing mode in SELinux until the next reboot. To make a permanent change, edit the /etc/selinux/config file as described above.

grub edit > kernel /vmlinux-2.6.9-1.667 ro root=LABEL=/ rhgb quiet enforcing=0


If you chose to configure Apache during the ColdFusion installation, then upon CF startup the cfmx-connectors.sh script will be run, attempting to complete the connector installation. The script will execute but note that errors occurred. To discover the errors, read the $CFMX/runtime/lib/wsconfig/wsconfig.log. You will find something similar to:

[root@Aneto wsconfig]# cat wsconfig.log
# Created by JRun on 02/11 18:38:16
02/11 18:38:16 info Macromedia JRun 4.0 (Build 91015)
02/11 18:38:17 debug Found JRun server coldfusion at 127.0.0.1:2920
02/11 18:38:19 debug Fedora Core release 3 (Heidelberg)
02/11 18:38:19 debug Detected Red Hat Linux release 3
02/11 18:38:19 debug Using Apache binary /usr/sbin/httpd
02/11 18:38:20 info Server version: Apache/2.0.52
02/11 18:38:20 debug Using Apache control script /usr/sbin/apachectl
02/11 18:38:20 debug Parsing Apache configuration file /etc/httpd/conf/httpd.conf
02/11 18:38:20 debug Exec'ing chmod 777 /opt/coldfusionmx7/runtime/lib/wsconfig/1
02/11 18:38:20 debug Set permission to 777 on /opt/coldfusionmx7/runtime/lib/wsconfig/1
02/11 18:38:20 debug Exec'ing chmod +x /opt/coldfusionmx7/runtime/lib/wsconfig/1/mod_jrun20.so
02/11 18:38:20 debug Set permission to execute on /opt/coldfusionmx7/runtime/lib/wsconfig/1/mod_jrun20.so
02/11 18:38:20 debug Created file /opt/coldfusionmx7/runtime/lib/wsconfig/1/mod_jrun20.so
02/11 18:38:21 debug Wrote file /etc/httpd/conf/httpd.conf
02/11 18:38:21 debug Added JRun configuration to Apache configuration file /etc/httpd/conf/httpd.conf
02/11 18:38:21 debug Created file /opt/coldfusionmx7/runtime/lib/wsconfig/1/README.txt
02/11 18:38:21 debug Wrote file /opt/coldfusionmx7/runtime/lib/wsconfig/wsconfig.properties
02/11 18:38:21 debug Exec'ing /usr/sbin/apachectl restart
02/11 18:38:23 error Error running "/usr/sbin/apachectl restart": exit code was 1
02/11 18:38:23 error Error restarting Apache server. The web server must be restarted to complete this operation.
jrunx.connectorinstaller.WebServerException: Error restarting Apache server. The web server must be restarted to complete this operation.
at jrunx.connectorinstaller.ApacheInstaller.restartWS(ApacheInstaller.java:430)
at jrunx.connectorinstaller.ApacheInstaller.installConnector(ApacheInstaller.java:220)
at jrunx.connectorinstaller.ConnectorInstaller.installConnector(ConnectorInstaller.java:332)
at jrunx.connectorinstaller.ConnectorInstaller.doIt(ConnectorInstaller.java:266)
at jrunx.connectorinstaller.ConnectorInstaller.main(ConnectorInstaller.java:752)


If you try to configure the webserver again, the log will then have an entry for:

02/11 18:38:53 info Macromedia JRun 4.0 (Build 91015)
02/11 18:38:53 debug Found JRun server coldfusion at 127.0.0.1:2920
02/11 18:38:54 error This web server is already configured for JRun.
jrunx.connectorinstaller.ConnectorInstallerException: This web server is already configured for JRun.
at jrunx.connectorinstaller.ApacheInstaller.installConnector(ApacheInstaller.java:163)
at jrunx.connectorinstaller.ConnectorInstaller.installConnector(ConnectorInstaller.java:332)
at jrunx.connectorinstaller.ConnectorInstaller.doIt(ConnectorInstaller.java:266)
at jrunx.connectorinstaller.ConnectorInstaller.main(ConnectorInstaller.java:752)


If you observe the contents of $CFMX/runtime/lib/wsconfig/ you will find the usual files and directories of a configured webserver:

[root@Aneto wsconfig]# pwd
/opt/coldfusionmx7/runtime/lib/wsconfig
[root@Aneto wsconfig]# ls -l
total 28
drwxrwxrwx 2 root root 4096 Feb 11 18:38 1
-rw-r--r-- 1 root root 4709 Feb 11 18:42 wsconfig.log
-rw-r--r-- 1 root root 198 Feb 11 18:38 wsconfig.properties
[root@Aneto wsconfig]# cat wsconfig.properties
#JRun/ColdFusion MX Web Server Configuration File
#Fri Feb 11 18:38:21 EST 2005
1=Apache,/etc/httpd/conf,"",/usr/sbin/httpd,/usr/sbin/apachectl,false
1.srv=localhost,"coldfusion"
1.cfmx=true,


Observing that everything looks in order, and noting that httpd.conf was correctly configured for JRun, if you try to start or restart Apache you will get this error message:

[root@Aneto wsconfig]# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: Syntax error on line 907 of /etc/httpd/conf/httpd.conf: Cannot load /opt/coldfusionmx7/runtime/lib/wsconfig/1/mod_jrun20.so into server: /opt/coldfusionmx7/runtime/lib/wsconfig/1/mod_jrun20.so: failed to map segment from shared object: Permission denied
[FAILED]


Changing SELinux to permissive or disabled mode and restarting the machine allows Apache to start and load the ColdFusion MX connector module correctly.

[root@Aneto ~]# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
[root@Aneto ~]# service httpd status
httpd (pid 2507 2506 2505 2497 2496 2495 2494 2493 2401) is running..


Remember, ColdFusion MX 6.x and 7 do not officially support Fedora Linux, although you might find that CFMX may support Red Hat Enterprise 4 in the future, and that distribution is expected to ship with SELinux whereas RHEL 3.0 does not.

More information on SELinux and Fedora can be found here: