I was unable start httpd when SELinux is on, with strange message AH00544. Even extensive google search did not help, so this is the time to bring more tutorial on the web :)
The first of all, the command for the httpd-deamon start is:# systemctl start httpd Job for httpd.service failed. See 'systemctl status httpd.service' and 'journalctl -xn' for details.
After checking journalctl -xn I've found:
#journalctl -xn
-- Logs begin at Fri 2015-05-29 21:59:31 CEST, end at Fri 2015-05-29 23:09:19 CEST. --
May 29 23:05:31 rxsat systemd[1]: Failed to start The Apache HTTP Server.
-- Subject: Unit httpd.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit httpd.service has failed.
--
-- The result is failed.
May 29 23:05:31 rxsat systemd[1]: Unit httpd.service entered failed state.
May 29 23:09:19 rxsat systemd[1]: Starting The Apache HTTP Server...
-- Subject: Unit httpd.service has begun with start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit httpd.service has begun starting up.
May 29 23:09:19 rxsat httpd[678]: AH00544: httpd: bad group name apache
May 29 23:09:19 rxsat kernel: type=1400 audit(1432933759.487:3883): avc: denied { read } for
pid=678 comm="httpd" name="group" dev="sdb2" ino=539822673 scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:shadow_t:s0 tclass=file
May 29 23:09:19 rxsat systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
May 29 23:09:19 rxsat kill[680]: kill: cannot find process ""
May 29 23:09:19 rxsat systemd[1]: httpd.service: control process exited, code=exited status=1
May 29 23:09:19 rxsat systemd[1]: Failed to start The Apache HTTP Server.
-- Subject: Unit httpd.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit httpd.service has failed.
--
-- The result is failed.
May 29 23:09:19 rxsat systemd[1]: Unit httpd.service entered failed state.
You can notice error message: "AH00544: httpd: bad group name apache" and also message related to SELinux:
May 29 23:09:19 rxsat kernel: type=1400 audit(1432933759.487:3883): avc: denied { read } for
pid=678 comm="httpd" name="group" dev="sdb2" ino=539822673 scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:shadow_t:s0 tclass=file
This mean that for PID of httpd is not accessible inode number 539822673. You need to find which file belongs to this inode:
# find / -inum 539822673 /etc/groupAnd now, what is the problem with /etc/group:
# ll -Z /etc/group -rw-r--r--. root root unconfined_u:object_r:shadow_t:s0 /etc/group
I thought that rule shadow_t may do problems, so I've changed the rule to passwd_file_t (as I found in different server it was this by default):
# chcon --type=passwd_file_t /etc/group # ll -Z /etc/group -rw-r--r--. root root unconfined_u:object_r:passwd_file_t:s0 /etc/group
After start of httpd, everything works:
# systemctl status httpd
httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled)
Active: active (running) since Fri 2015-05-29 23:29:43 CEST; 12min ago
Process: 5343 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=1/FAILURE)
Main PID: 6379 (httpd)
Status: "Total requests: 2; Current requests/sec: 0; Current traffic: 0 B/sec"
CGroup: /system.slice/httpd.service
├─6379 /usr/sbin/httpd -DFOREGROUND
├─6380 /usr/sbin/httpd -DFOREGROUND
├─6381 /usr/sbin/httpd -DFOREGROUND
├─6382 /usr/sbin/httpd -DFOREGROUND
├─6383 /usr/sbin/httpd -DFOREGROUND
├─6384 /usr/sbin/httpd -DFOREGROUND
└─6525 /usr/sbin/httpd -DFOREGROUND