TechNote (Archived)

Permission denied error when restarting Apache on Red Hat Enterprise Linux

Issue

After configuring Apache 2 web server for ColdFusion MX on Red Hat Enterprise Linux, the Apache web server may fail to restart and produce the following error message:

 [root@RHEL4DEV1 connectors]# service httpd restart Stopping httpd: [ OK ] Starting httpd: Syntax error on line 909 of /etc/httpd/conf/httpd.conf: Cannot load /opt/coldfusionmx7/runtime/lib/wsconfig/1/mod_jrun20.so into server: /opt/coldfusionmx7/runtime/lib/wsconfig/1/mod_jrun20.so: failed to map segment from shared object: Permission denied [FAILED]

Reason

Support for Red Hat Enterprise Linux 4 is introduced with the release of ColdFusion MX 7.0.1. This presents a new security challenge to System Administrators configuring ColdFusion MX for Apache since the SELinux functionality is ACTIVE by default starting with RHEL4. SELinux, or Security Enhanced Linux, is a software product developed by the National Security Agency and has become a standard in Red Hat Linux distributions including RHEL3, RHEL4, and Fedora Core Linux (Fedora Core Linux remains unsupported by ColdFusion MX as of version 7.0.1).

The most notable problem arises when attempting to configure the webserver to run the ColdFusion connector stub. SELinux ships with Red Hat Enterprise Linux 3 as well, however it is not ACTIVE by default in that distribution, but users may encounter this error if it has been enabled. This problem and a recommended solution are described further below

Solution

In order for the Apache 2 httpd binary to load the ColdFusion mod_jrun20.so connector module, it is necessary to change the security domain of the module to be like that of httpd. This is most easily done with the chcon command where the--reference=[reference file] switch indicates the reference security context to be applied to the target file or directory as shown in this example command line operation:

 chcon --reference=/usr/sbin/httpd \ /opt/coldfusionmx7/runtime/lib/wsconfig/1/mod_jrun20.so

The following capture from a terminal session demonstrates interrogation of the security context of related files using the -Z switch available with the commands ls, ps, and id. It also demonstrates use of the chcon command to change the security context of the ColdFusion connector module to be like that of the reference file /usr/sbin/httpd:

 [root@RHEL4DEV1 connectors]# cd /opt/coldfusionmx7/runtime/lib/wsconfig/ [root@RHEL4DEV1 wsconfig]# ls -l total 32 drwxrwxrwx 2 root root 4096 Oct 25 12:09 1 -rw-r--r-- 1 root root 1441 Oct 25 12:09 wsconfig.log -rw-r--r-- 1 root root 198 Oct 25 12:09 wsconfig.properties [root@RHEL4DEV1 wsconfig]# ls -l 1/ total 92 -rwxr-xr-x 1 root root 75088 Feb 18 2005 mod_jrun20.so -rw-r--r-- 1 root root 272 Oct 25 12:09 README.txt [root@RHEL4DEV1 wsconfig]# [root@RHEL4DEV1 wsconfig]# ls -Z 1/mod_jrun20.so -rwxr-xr-x root root root:object_r:usr_t 1/mod_jrun20.so [root@RHEL4DEV1 wsconfig]# which httpd /usr/sbin/httpd [root@RHEL4DEV1 wsconfig]# ls -Z /usr/sbin/httpd -rwxr-xr-x root root system_u:object_r:httpd_exec_t /usr/sbin/httpd  [root@RHEL4DEV1 wsconfig]# chcon --help Usage: chcon [OPTION]... CONTEXT FILE... or: chcon [OPTION]... [-u USER] [-r ROLE] [-l RANGE] [-t TYPE] FILE... or: chcon [OPTION]... --reference=RFILE FILE... Change the security context of each FILE to CONTEXT.  -c, --changes like verbose but report only when a change is made -h, --no-dereference affect symbolic links instead of any referenced file (available only on systems with lchown system call) -f, --silent, --quiet suppress most error messages --reference=RFILE use RFILE's group instead of using a CONTEXT value -u, --user=USER set user USER in the target security context -r, --role=ROLE set role ROLE in the target security context -t, --type=TYPE set type TYPE in the target security context -l, --range=RANGE set range RANGE in the target security context -R, --recursive change files and directories recursively -v, --verbose output a diagnostic for every file processed --help display this help and exit --version output version information and exit  [root@RHEL4DEV1 wsconfig]# chcon --reference=/usr/sbin/httpd 1/mod_jrun20.so [root@RHEL4DEV1 wsconfig]# ls -Z 1/mod_jrun20.so -rwxr-xr-x root root system_u:object_r:httpd_exec_t 1/mod_jrun20.so [root@RHEL4DEV1 wsconfig]# service httpd start Starting httpd: [ OK ] [root@RHEL4DEV1 wsconfig]#