tracker issue : CF-4090377

select a category, or use search below
(searches all categories and all time range)
Title:

SELinux issues with ColdFusion 10 update 18 connector (10,0,18,296330)

| View in Tracker

Status/Resolution/Reason: Closed/Won't Fix/Workaround

Reporter/Name(from Bugbase): Dan Switzer / Dan Switzer (Dan Switzer)

Created: 11/20/2015

Components: Installation/Config, Connector

Versions: 10.0

Failure Type: Non Functioning

Found In Build/Fixed In Build: Final /

Priority/Frequency: Major / Some users will encounter

Locale/System: English / Linux RH Enterprise 6

Vote Count: 1

Problem Description:

Rebuilding the Apache web connector under CentOS 6.6 and Apache 2.2.15-47.el6 causes SELinux conflicts.

The Apache error_log generates errors like:

[Thu Nov 19 17:06:15 2015] [notice] child pid 22322 exit signal Segmentation fault (11)

The SELinux audit.log generates errors like:

type=ANOM_ABEND msg=audit(1448041800.008:536): auid=0 uid=48 gid=48 ses=29 subj=unconfined_u:system_r:httpd_t:s0 pid=7307 comm="httpd" sig=11

Steps to Reproduce:
Take a working instance of ColdFusion 10u17 and apply hotfix 18. After installing the hotfix, rebuild or upgrade the connector:

/opt/coldfusion10/cfusion/runtime/bin/wsconfig -upgrade -v

Or:

/opt/coldfusion10/cfusion/runtime/bin/wsconfig -uninstall 
/opt/coldfusion10/cfusion/runtime/bin/wsconfig -ws Apache -dir /etc/httpd/conf/ -bin /usr/sbin/httpd -script /etc/init.d/httpd -v


Actual Result:
Try to access any ColdFusion page and the request will not be fulfilled and errors will be generated.


Expected Result:
Server should work as it did before the connector was rebuilt.

Any Workarounds:

Temporarily disable SELinux (echo 0 >/selinux/enforce) and restart Apache.

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	4090377

External Customer Info:
External Company:  
External Customer Name: Dan Switzer
External Customer Email:  
External Test Config: My Hardware and Environment details:



CentOS 6.6 w/SELinux enabled

Apache 2.2.15-47.el6

ColdFusion 10 with update 18

Attachments:

Comments:

Can I get an update on this? I'd really like to get u18 tested so we can roll into production, but if I can't complete the necessary step of updating the connector, I won't install u18. Thanks!
Comment by External U.
5263 | December 01, 2015 09:40:21 AM GMT
Dan, Can you also please mention the SELinux settings? We are working with enforcing / targeted to repro this issue.
Comment by Immanuel N.
5264 | December 02, 2015 10:02:29 PM GMT
We were able to repro the issue with CentOS bundled Apache (2.2.15), and are looking into it. Also, we can confirm the connector on CentOS works with 2.2.31, the latest in 2.2 branch, and also 2.2.15 (Built from Apache provided source). Would it be possible to upgrade to the latest release of Apache 2.2?
Comment by Immanuel N.
5265 | December 02, 2015 11:20:40 PM GMT
Apache 2.2.15-47.el6 is the latest version officially supported in our managed environment. I'm looking into whether there's any chance we can update to 2.2.31. However, if I disable SELinux, everything works fine. So I don't think the connector is incompatible with 2.2.15-47.el6, but there's definitely some permission that needs to be granted somewhere along the way. I just can't pinpoint what that change is.
Comment by External U.
5266 | December 03, 2015 08:32:56 AM GMT
Spot on, Dan! There are additional permissions required under SELinux for connector binaries. We are working on listing down these permissions. Fixes on the connector are not required.
Comment by Immanuel N.
5267 | December 03, 2015 09:28:47 PM GMT
We use Red Hat Enterprise Linux Server release 6.7 with Apache/2.2.15 (Unix). We experience the same issue when we install update 18 and update the connector. This update was released on Nov 17 2015 and has priority 2 rating. My understanding is - this update should be installed within 30 days of release because it is priority 2. https://helpx.adobe.com/security/products/coldfusion/apsb15-29.html https://helpx.adobe.com/security/severity-ratings.html This needs to be resolved so we can install this update by Dec 17-18 , 2015. Thanks, Boris.
Vote by External U.
5273 | December 07, 2015 10:10:25 AM GMT
Hi Dan, This is workaround worked for us, not sure if it will help you or not, use it at your own risk and test it before using in production. Check your system and see if you have httpd_tmp_t file type defined, you should have it I believe it is one of the defaults httpd file contexts. seinfo -afile_type -x |grep httpd_tmp_t One of the quickest workarounds we found was to change location of jk_shm files to /tmp directory in mod_jk.conf and restart apache. In mod_jk.conf file look for line that starts with JkShmFile and change it from default location {ColdFusionRoot}/config/wsconfig/{connector number}/jk_shm to /tmp/jk_shm. We used variation of this workaround and created a dedicated directory for jk_shm files and set httpd_tmp_t label on this new directory, commands we used as follows: semanage fcontext -a -t httpd_tmp_t "{new directory}(/.*)?" restorecon {new directory} Then we edited mod_jk.conf file and restarted apache.
Comment by External U.
5268 | December 15, 2015 10:24:43 AM GMT
Hi Dan, Please run the below commands to make connector works : 1. Below command will give write permission to httpd in config folders chcon -R -t httpd_sys_rw_content_t /opt/coldfusion10/config 2. By default, the httpd_can_network_connect_db Boolean is off, preventing Apache HTTP Server scripts and modules from connecting to servers and so please run below command : setsebool -P httpd_can_network_connect on Please let us know if it works for you Thanks, Mukesh
Comment by Mukesh K.
5269 | August 05, 2016 01:45:27 AM GMT
Dan, any luck with the following commands?
Comment by Vamseekrishna N.
5270 | August 24, 2016 12:02:09 AM GMT
Hi Dan, we are closing this bug. Do revert in case you are still experiencing this issue/want us to re-open it.
Comment by Vamseekrishna N.
5271 | August 24, 2016 09:23:15 PM GMT
The following command, does allow me to run SELinux in permissive mode again. chcon -R -t httpd_sys_rw_content_t /opt/coldfusion10/config You should make sure to update the Lockdown instructions to make sure this is included!
Comment by External U.
5272 | August 31, 2016 12:38:11 PM GMT