httpd with 3rd-party mod_cluster failing to start with error: create_mem_node /etc/httpd/logs/manager.node failed: Permission denied

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 6
  • httpd
  • 3rd-party mod_cluster not provided by JBoss Web Server or JBoss EAP

Issue

  • Apache httpd fails to start with the following errors in the error_log:

    [Wed Sep 23 10:38:03 2015] [notice] Digest: generating secret for digest authentication ...
[Wed Sep 23 10:38:03 2015] [notice] Digest: done
[Wed Sep 23 10:38:03 2015] [emerg] create_mem_node /etc/httpd/logs/manager.node failed: Permission denied Configuration Failed
[Wed Sep 23 10:44:59 2015] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0
[Wed Sep 23 10:44:59 2015] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Wed Sep 23 10:44:59 2015] [notice] Digest: generating secret for digest authentication ...
[Wed Sep 23 10:44:59 2015] [notice] Digest: done
[Wed Sep 23 10:44:59 2015] [emerg] create_mem_node /etc/httpd/logs/manager.node failed: Permission denied Configuration Failed

Resolution

  1. Create a cache dir for mod_cluster in /var/cache/

    mkdir /var/cache/mod_cluster

  2. Run restorecon on the new directory
    Note that SELinux already has fcontext rules to set /var/cache/mod_* to type httpd_cache_t
    This command only needs to be run once

    restorecon /var/cache/mod_cluster

  3. Edit the mod_cluster config file (probably /etc/httpd/conf.d/mod_cluster.conf)
    Set the following directive

    MemManagerFile /var/cache/mod_cluster

  4. Restart Apache httpd

Root Cause

  • The problem is that mod_cluster is creating cache files in a directory (/var/log/httpd) that should only contain logs
  • The logs directory has the SELinux context type httpd_log_t, which means that any new files in this dir will inherit the same
    type
  • The httpd_log_t type allows creating new files and appending existing files
  • The proper httpd_cache_t type allows more appropriate access
  • Note: MemManagerFile is set correctly in versions of mod_cluster shipped by Red Hat

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.