I am using CentOS 7 and have set up a duplicate Apache instance using the systemd structure there.
I can get both Apaches to run if I use setenforce 0. However, when I setenforce 1, the new Apache won't start.
I did my best to go through all the files I created and I have copied the SELinux type across using "ls -Z" and then chcon to the same as httpd.
The failure message I am getting is:
[Thu Jun 23 23:51:24.123185 2016] [core:notice] [pid 24944] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Thu Jun 23 23:51:24.124434 2016] [suexec:notice] [pid 24944] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu Jun 23 23:51:24.146830 2016] [auth_digest:notice] [pid 24944] AH01757: generating secret for digest authentication ...
[Thu Jun 23 23:51:24.147901 2016] [lbmethod_heartbeat:notice] [pid 24944] AH02282: No slotmem from mod_heartmonitor
[Thu Jun 23 23:51:24.147983 2016] [core:error] [pid 24944] (13)Permission denied: AH00099: could not create /etc/httpd-bobby/httpd-bobby.pid
[Thu Jun 23 23:51:24.148000 2016] [core:error] [pid 24944] AH00100: httpd-bobby: could not log pid to file /etc/httpd-bobby/httpd-bobby.pid
But the location has the httpd context:
[root~]# ls -Z /etc | grep httpd
drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 httpd
drwxr-xr-x. root root unconfined_u:object_r:httpd_config_t:s0 httpd-bobby
I know it is SELinux because it works with setenforce 0. What am I doing wrong?
Best Answer
There are multiple httpd contexts and this isn't the right one.
The directory in which the pid file goes should have the context
httpd_var_run_t.I'd recommend against putting it in /etc and create one in /var/run.
To set the correct context permanently for example for /var/run/httpd-bobby:
semanage fcontext -a -t httpd_var_run_t "/var/run/httpd-bobby(/.*)?" && restorecon /var/run/httpd-bobby