System information
Adobe documentation - Confidential
/opt/coldfusion10/config/wsconfig/1/mod_jk.so: failed to map
segment from shared object: Permission denied
If you are not running SELinux you can skip any commands that begin with chcon or setsebool.
First create an empty log file:
touch /opt/cf11/config/wsconfig/1/mod_jk.log
And an empty shared memory file:
touch /opt/cf11/config/wsconfig/1/jk_shm
Now let’s grant permission to Apache for the connector directory:
chown -R cfuser:apache /opt/cf11/config/wsconfig/1/
chmod -R 640 /opt/cf11/config/wsconfig/1/
chmod 750 /opt/cf11/config/wsconfig/1/mod_jk.so
chmod 660 /opt/cf11/config/wsconfig/1/mod_jk.log
chmod 660 /opt/cf11/config/wsconfig/1/jk_shm
Next we need to apply SELinux context to the mod_jk.so module, we’ll do this by referencing another
apache module, we’ll pick mod_rewrite.so - just make sure whatever you pick is installed:
chcon --reference=/etc/httpd/modules/mod_rewrite.so
/opt/cf11/config/wsconfig/1/mod_jk.so
We must also apply the proper SELinux context to the files that mod_jk writes to:
chcon --reference=/var/log/httpd/access_log
/opt/cf11/config/wsconfig/1/mod_jk.log
chcon --reference=/var/log/httpd/access_log
/opt/cf11/config/wsconfig/1/jk_shm
Finally we need to allow Apache to make network connections so mod_jk can talk to ColdFusion. We can
allow Apache to connect to any port by running:
setsebool httpd_can_network_connect 1
A more restrictive and secure approach is to only add the port that the ColdFusion connector is using to
facilitate communications between Apache and ColdFusion. This port is listed in the workers.properties
file in the /opt/cf11/config/wsconfig/1/ folder in the worker.cfusion.port property, by default it will be
8014.
Turn off httpd_can_network_connect if enabled:
setsebool httpd_can_network_connect 0
Adobe documentation - Confidential