Apache will not stop/start gracefully

Question

CentOs 6 64bit running apache 2.2.15-29.el6.centos. When I try to stop/start or restart httpd I get an error that says it has failed. A tail of the error log is below. I also noticed that a httpd.pid file is not created even though it is configured in the main conf file.

If I set selinux to permissive, it works just fine. I do not want to run it with selinux disabled. If I delete the SSL_Mutex file it will start.

HTTPD was running fine until I tried to add the ssl configuration. I copied over the ssl.conf file from a working server into the conf.d folder. I also copied a sslcert folder into the conf folder. It contains the certs, key, csr and password file. I think the problem has to do with the selinux context for the sslcert folder that was copied but I am not certain and not sure how to fix it.

Below is the security context for the sslcert folder after executing restorecon -R sslcert
ls -Z

-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 httpd.conf
-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 magic
**drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 sslcert**

tail -f /var/log/httpd/error_log

[Thu Oct 17 13:33:19 2013] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu Oct 17 13:33:20 2013] [notice] Digest: generating secret for digest authentication ...
[Thu Oct 17 13:33:20 2013] [notice] Digest: done
[Thu Oct 17 13:33:20 2013] [warn] pid file /etc/httpd/logs/ssl.pid overwritten -- Unclean shutdown of previous Apache run?
[Thu Oct 17 13:33:20 2013] [notice] Apache/2.2.15 (Unix) DAV/2 mod_ssl/2.2.15 OpenSSL/1.0.0-fips configured -- resuming normal operations
[Thu Oct 17 21:04:48 2013] [notice] caught SIGTERM, shutting down
[Thu Oct 17 21:06:42 2013] [notice] **SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0**
[Thu Oct 17 21:06:42 2013] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu Oct 17 21:06:42 2013] [error] (17)File exists: Cannot create SSLMutex with file `/etc/httpd/logs/ssl_mutex'

I also saw mention of possible issues with semaphores. Below is the output of the current semaphores and apache is currently not running.

ipcs -s

------ Semaphore Arrays --------
key        semid      owner      perms      nsems
0x00000000 0          root       600        1
0x00000000 65537      root       600        1

Finally selinux reports the following error.

`sealert -a /var/log/audit/audit.log`  
0% donetype=AVC msg=audit(1382034755.118:420400): avc:  denied  { write } for  pid=3393 comm="httpd" name="ssl_mutex" dev=dm-0 ino=9513484 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_log_t:s0 tclass=file

**** Invalid AVC allowed in current policy ***

100% doneERROR: failed to read complete file, 1044649 bytes read out of total 1043317 bytes (/var/log/audit/audit.log)
found 1 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------

SELinux is preventing /usr/sbin/httpd from remove_name access on the directory ssl_mutex.

Answer 1

A similar problem appiered before:

http://www.redhat.com/archives/fedora-selinux-list/2004-December/msg00067.html

Check for ssl mutex config to be same as in default ssl.conf.

Hope it helps.

Answer 2

If I set selinux to permissive, it works just fine. I do not want to run it with selinux disabled. If I delete the SSL_Mutex file it will start.

add "rm -fv /path/to/apache/ssl_mutex_file" to your httpd init script?

[Thu Oct 17 21:06:42 2013] [error] (17)File exists: Cannot create SSLMutex with file `/etc/httpd/logs/ssl_mutex'

kinda hackish, but should work. i usually disable selinux on non-shared servers.