centos 5.2 - Apache having trouble sudo'ing httpd graceful

Discussion in 'Server Operation' started by sfunk1x, Aug 26, 2009.

  1. sfunk1x

    sfunk1x New Member

    All -

    I have a script which needs to execute the following command:

    sudo /etc/init.d/httpd graceful

    In the sudoers file, I have commented out requiretty and added

    apache sz2 = NOPASSWD: /etc/init.d/httpd graceful

    Performing an su - apache -s /bin/bash, then executing "sudo /etc/init.d/httpd graceful" will execute. However, when I have the following command in a php script and execute from a browser:

    echo exec('sudo /etc/init.d/httpd graceful');

    it won't work.

    The thing is, if I execute 'setenforce 0' to turn selinux off, it works. I've attempted to change security context on the init.d/httpd script to httpd_sys_content_t, and the same thing for the /usr/sbin/httpd file to no avail.

    Any suggestions on how I can get this to execute?
  2. sfunk1x

    sfunk1x New Member

    /var/log/audit/audit.log helps immensely here. A lot of policies have to be set into place to allow this to happen - through audit2allow. I will post more details when I know them....
  3. cento_claus

    cento_claus New Member

    Could you finally fix your problem?
    I am having the same issue...
  4. sfunk1x

    sfunk1x New Member

    Yes, but not as I would have liked.

    I finally gave up trying to give the apache user sudo rights to restart apache on the backend. In manual testing it worked (su'ing to apache user, then graceful restarting to the daemon) but in practice it was not and I didn't want to invest any more hours trying to get it to work.

    The trigger I needed was when a new site would be created a new virtual host config file would be created in the /etc/httpd/conf/vhost folder (I created vhost, it's not there from the factory centos 5.2 install). The text file was just a null file that a shell script looked for every 60 seconds with the help of a cron job ran as root. If the shell script found the file, it would restart apache, if it doesn't the shell script ends gracefully.

    Not very refined, but it does the job perfectly and has done so since I made this post.

Share This Page