All - I have a script which needs to execute the following command: sudo /etc/init.d/httpd graceful In the sudoers file, I have commented out requiretty and added apache sz2 = NOPASSWD: /etc/init.d/httpd graceful Performing an su - apache -s /bin/bash, then executing "sudo /etc/init.d/httpd graceful" will execute. However, when I have the following command in a php script and execute from a browser: <? echo exec('sudo /etc/init.d/httpd graceful'); ?> it won't work. The thing is, if I execute 'setenforce 0' to turn selinux off, it works. I've attempted to change security context on the init.d/httpd script to httpd_sys_content_t, and the same thing for the /usr/sbin/httpd file to no avail. Any suggestions on how I can get this to execute?
/var/log/audit/audit.log helps immensely here. A lot of policies have to be set into place to allow this to happen - through audit2allow. I will post more details when I know them....
Yes, but not as I would have liked. I finally gave up trying to give the apache user sudo rights to restart apache on the backend. In manual testing it worked (su'ing to apache user, then graceful restarting to the daemon) but in practice it was not and I didn't want to invest any more hours trying to get it to work. The trigger I needed was when a new site would be created a new virtual host config file would be created in the /etc/httpd/conf/vhost folder (I created vhost, it's not there from the factory centos 5.2 install). The text file was just a null file that a shell script looked for every 60 seconds with the help of a cron job ran as root. If the shell script found the file, it would restart apache, if it doesn't the shell script ends gracefully. Not very refined, but it does the job perfectly and has done so since I made this post.
