Permission denied: could not create /var/run/httpd.pid in Apache
I just figure out what issue. This is our environment:
RedHat 5 with latest apache RPM
When you look at the error logs it complains about not been able to create the httpd.pid, under the "run" dir. It didn't make sense because that directory had the correct context for read/write "httpd_sys_rw_content_t" (which I had to find from "/etc/selinux/targeted/contexts/customizable_types".
I realized (after hours of searching) that on the error log it doesn't give you the full path, but when apache stars it chroot dir to "/home/httpdjail".
Under this folder I found another "run" dir. After changing the permissions to:
chcon -Rv -t httpd_sys_content_rw_t /home/httpdjail/
IT WORKED!! ^^
I'm guessing if you give the right permissions to your "/chroot/httpd" it will fix your issue.
Hope this help!
I don't know about your invalid boolean but you can find SELinux permission problems by checking it's log (try /var/log/audit/audit.log
)
I believe the log will show the context/type used by httpd/apache and any file SELinux denies access to. Also try ls -lZ
to reveal the context of any given file and before you get lost trying to reconfigure SELinux permissions try restorecon -R -F -v
(restore context).
In response to audit.log being verbose, yes it is! However if you are looking for one particular file for a known process it isn't so bad. An example of Apache (httpd) not loading /etc/hosts is:
type=AVC msg=audit(1311546944.235:1040): avc: denied { read } for pid=1396 comm="httpd"
name="hosts" dev=dm-0 ino=262931
scontext=user_u:system_r:httpd_t:s0
tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
Also worth noting I've experienced contexts getting out of wack without editing any SELinux configuration. e.g. when files are uploaded via scp, when moving between directories and in the above example I have no idea but restorecon fixed it.
You could search audit.log for any sign of 'httpd'. Hope this helps.