There’s a long-standing bug that prevents mod_security from writing to /var/lib/mod_security/.

According to Red Hat Bugzilla this bug should been fixed around May 2013, but it still exists – on fully patched CentOS 6.5. From /var/log/audit/audit.log:

type=AVC msg=audit(1411718594.811:7017): avc: denied { write } for pid=28144 comm="httpd" name="global.dir" \\  
dev=dm-0 ino=1577960 scontext=unconfined\_u:system\_r:httpd\_t:s0 tcontext=unconfined\_u:object\_r:var\_lib\_t:s0 tclass=file
 
type=AVC msg=audit(1411718594.812:7018): avc: denied { write } for pid=28144 comm="httpd" name="ip.dir" \\  
dev=dm-0 ino=1577962 scontext=unconfined\_u:system\_r:httpd\_t:s0 tcontext=unconfined\_u:object\_r:var\_lib\_t:s0 tclass=file

To relabel this directory with the proper “httpd_var_lib_t” context, run the following as root:

semanage fcontext -a -t httpd\_var\_lib\_t "/var/lib/mod\_security(/.\*)?"
restorecon -Rv /var/lib/mod\_security

Updated: