httpd run directory permissions in F12/11

Paul Howarth paul at city-fan.org
Thu Oct 29 12:35:36 UTC 2009 

On 29/10/09 11:29, Clodoaldo Neto wrote:
> I've been using Fedora 10 and while trying F12 beta I noticed a
> problem in the httpd run directory permission. Then I tried F11 and
> the same problem happens:
>
> [Wed Oct 28 12:05:02 2009] [notice] Apache/2.2.13 (Unix) DAV/2
> PHP/5.2.9 mod_python/3.3.1 Python/2.6 mod_ssl/2.2.13
> OpenSSL/0.9.8k-fips mod_wsgi/2.6 mod_perl/2.0.4 Perl/v5.10.0
> configured -- resuming normal operations
> [Wed Oct 28 12:05:09 2009] [error] [client 10.0.2.15] (13)Permission
> denied: mod_wsgi (pid=2722): Unable to connect to WSGI daemon process
> 'mygroup' on '/etc/httpd/run/wsgi.2692.0.1.sock' after multiple
> attempts.
>
> The problem is that until F10 the httpd socket directory was /var/run/
> and in F11 and F12 it is /var/run/httpd:
>
> # ll /etc/httpd/run
> lrwxrwxrwx. 1 root root 19 2009-10-28 11:04 /etc/httpd/run ->
> ../../var/run/httpd
>
> # ll -d /var/run/httpd
> drwx------. 2 root root 4096 2009-10-28 11:51 /var/run/httpd
>
> # ll -d /var/run
> drwxr-xr-x. 31 root root 4096 2009-10-28 11:35 /var/run
>
> # ll /var/run/httpd/
> total 4
> -rw-r--r--. 1 root   root 5 2009-10-28 12:05 httpd.pid
> srwx------. 1 apache root 0 2009-10-28 12:05 wsgi.2692.0.1.sock
>
> That can break some apache modules like mod_wsgi which rely on sockets.
>
> Any of these solve the problem:
>
> # chmod o+x /var/run/httpd
> # chown apache.root /var/run/httpd
>
> Is there a reason for the /var/run/httpd permissions to be as in
> F11/12 ? Is it necessary to have the user intervention to fix it? I
> have posted at the mod_wsgi list:
>
> http://groups.google.com/group/modwsgi/t/c5f5abc122088478

I had exactly the same problem with mod_fcgid and ended up creating a 
separate socket directory /var/run/mod_fcgid with appropriate 
permissions instead of following /etc/httpd/run.

If you create a directory matching /var/run/mod_.* with suitable 
permissions and include that directory in your package then it should 
get the right SELinux context set so that it will work out of the box.

Paul.

More information about the fedora-devel-list mailing list