anyone has created the acl for redhat's services, such as apache, ftpd etc?

Care to share on how to do it? I've tried it, but rather confused. Let's say for apache, do I create an acl for /etc/rc.d/init.d/httpd or /usr/sbin/httpd?

Both of them require very different acl config, and I don't know which one is better

No I'm still wrestling with the ACL part.
AFAIK /etc/rc.d/init.d/httpd is the script that starts /usr/sbin/httpd, s IMO you should make it for the /usr/sbin/httpd binary. Create an ACL for it and enable learning mode (see gracl.(swx|doc). I'll see if I can come up with one for Apache-SSL one of these days when I switch to grsecurity-1.9.8-2.4.20.

When I created the learning mode for /usr/sbin/httpd, it didn't log the writing of /var/run/httpd.pid (in redhat). Further, /etc/rc.d/init.d/httpd called logging functions (initlog) that creates errors This should be due to improper ACL config on my part Hopefully I can configure the / subject more properly.

With the ACL not enabled, does it protect chrooted services? For example, does it protect chrooted apache so that it would not be able to do a 2nd chroot (breaking out of chroot)? Do I have to set anything at the /proc fs for that?

I'm learning grsec too and trying to create ACLs for my redhat services.

Even w/o ACL's enabled the extra chroot supporting features can be enabled. Just check your /proc/sys/kernel/grsecurity/* settings if they are:
for i in $(\ls /proc/sys/kernel/grsecurity/*) | grep -ve "acl"; do
echo "kernel.grsecurity.$(basename ${i})= $(cat ${i})"; done