Home / server / Questions / 293978
Accepted
Bourne
Asked: 2011-07-26 12:33:16 +0800 CST

Permission denied: could not create /var/run/httpd.pid in Apache

  • 772

I'm working on setting up a web server running RedHat Enterprise 6 with Apache and PHP inside of a chroot jail environment. The chroot directory for apache is /chroot/httpd. I followed this example yet when I go to start apache, I see the following in /var/log/httpd/error_log.

[warn] ./mod_dnssd.c: No services found to register
[Mon Jul 25 13:14:31 2011] [notice] core dump file size limit raised to 4294967295 bytes
[Mon Jul 25 13:14:31 2011] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0
[Mon Jul 25 13:14:31 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Mon Jul 25 13:14:31 2011] [notice] Digest: generating secret for digest authentication ...
[Mon Jul 25 13:14:31 2011] [notice] Digest: done
[Mon Jul 25 13:14:31 2011] [notice] mod_chroot: changed root to /chroot/httpd.
[Mon Jul 25 13:14:31 2011] [error] (13)Permission denied: could not create /var/run/httpd.pid
[Mon Jul 25 13:14:31 2011] [error] httpd: could not log pid to file /var/run/httpd.pid
[Mon Jul 25 13:14:31 2011] [warn] ./mod_dnssd.c: No services found to register

Also, SELinux is enabled and according to the instructions, you are supposed to change the value of the httpd_disable_trans boolean to 1 using the command

setsebool httpd_disable_trans 1

However, I cannot find such a boolean under /selinux/booleans or anywhere in the system. The command produces the following error:

Could not change active booleans: Invalid boolean

I've scoured the web for why this boolean is not present in the system with no result. I have no idea if it's SELinux that's not allowing httpd to start or if it is a permissions issue. I have double checked the permissions and they seem fine. Any suggestions?

Thank you.

Update: I've determined that SELinux is indeed the reason for those errors. Changing the default policy from Enforcing to Permissive does allow apache to start just fine. The question is, why is httpd_disable_trans not available in the system? That would allow me to maintain the security of SELinux along with apache.

Also, on a side note, with apache inside a chroot environment, is it best to host the web content inside the /chroot or create symbolic links from there to where it is located? My goal is that I need to enable web content inside user directories stored under /users.

Update 2: Some Apache config lines that I believe are relevant:

.....
ServerRoot /etc/httpd
LockFile /var/run/httpd.lock
CoreDumpDirectory /var/run
ScoreBoardFile /var/run/httpd.scoreboard

PidFile /var/run/httpd.pid
ChrootDir "/chroot/httpd"
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_alias_module modules/mod_authn_alias.so
LoadModule authn_anon_module modules/mod_authn_anon.so
LoadModule authn_dbm_module modules/mod_authn_dbm.so
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authz_owner_module modules/mod_authz_owner.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_dbm_module modules/mod_authz_dbm.so
LoadModule authz_default_module modules/mod_authz_default.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule include_module modules/mod_include.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule logio_module modules/mod_logio.so
LoadModule env_module modules/mod_env.so
LoadModule ext_filter_module modules/mod_ext_filter.so
LoadModule mime_magic_module modules/mod_mime_magic.so
LoadModule expires_module modules/mod_expires.so
LoadModule deflate_module modules/mod_deflate.so
LoadModule headers_module modules/mod_headers.so
LoadModule usertrack_module modules/mod_usertrack.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule mime_module modules/mod_mime.so
LoadModule dav_module modules/mod_dav.so
LoadModule status_module modules/mod_status.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule info_module modules/mod_info.so
LoadModule dav_fs_module modules/mod_dav_fs.so
LoadModule vhost_alias_module modules/mod_vhost_alias.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule dir_module modules/mod_dir.so
LoadModule actions_module modules/mod_actions.so
LoadModule speling_module modules/mod_speling.so
LoadModule userdir_module modules/mod_userdir.so
LoadModule alias_module modules/mod_alias.so
LoadModule substitute_module modules/mod_substitute.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule cache_module modules/mod_cache.so
LoadModule suexec_module modules/mod_suexec.so
LoadModule disk_cache_module modules/mod_disk_cache.so
LoadModule cgi_module modules/mod_cgi.so
LoadModule version_module modules/mod_version.so
LoadModule chroot_module      /usr/lib/httpd/modules/mod_chroot.so

Include conf.d/*.conf


User apache
Group apache
....
apache-2.2 selinux

4 Answers

  1. Best Answer

    I just figure out what issue. This is our environment:

    RedHat 5 with latest apache RPM

    When you look at the error logs it complains about not been able to create the httpd.pid, under the "run" dir. It didn't make sense because that directory had the correct context for read/write "httpd_sys_rw_content_t" (which I had to find from "/etc/selinux/targeted/contexts/customizable_types".

    I realized (after hours of searching) that on the error log it doesn't give you the full path, but when apache stars it chroot dir to "/home/httpdjail".

    Under this folder I found another "run" dir. After changing the permissions to:

    chcon -Rv -t httpd_sys_content_rw_t /home/httpdjail/

    IT WORKED!! ^^

    I'm guessing if you give the right permissions to your "/chroot/httpd" it will fix your issue.

    Hope this help!

    • 5

  2. I don't know about your invalid boolean but you can find SELinux permission problems by checking it's log (try /var/log/audit/audit.log)

    I believe the log will show the context/type used by httpd/apache and any file SELinux denies access to. Also try ls -lZ to reveal the context of any given file and before you get lost trying to reconfigure SELinux permissions try restorecon -R -F -v (restore context).

    In response to audit.log being verbose, yes it is! However if you are looking for one particular file for a known process it isn't so bad. An example of Apache (httpd) not loading /etc/hosts is:

    type=AVC msg=audit(1311546944.235:1040): avc:  denied  { read } for  pid=1396 comm="httpd" 
name="hosts" dev=dm-0 ino=262931 
scontext=user_u:system_r:httpd_t:s0 
tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file

    Also worth noting I've experienced contexts getting out of wack without editing any SELinux configuration. e.g. when files are uploaded via scp, when moving between directories and in the above example I have no idea but restorecon fixed it.

    You could search audit.log for any sign of 'httpd'. Hope this helps.

    • 4

  3. Try this:

    # echo "httpd_disable_trans=1" > /etc/selinux/targeted/booleans

    and restart Apache to see what happen.

    • 0

  4. If using MTA, for example postfix, you may wanna keep your SElinux setting:

    httpd_can_sendmail=1

    For this reason I offer doing this:

    echo "httpd_disable_trans=1" >> /etc/selinux/targeted/modules/active/booleans.local
    • 0