The first thing first, permissive mode means that SELinux just log denials into audit log, but nothing is really denied. It is just for debugging and setting your SELinux policy and your system is out of SELinux protection when premissive mode is enabled. Enforing mode is full SELinux functionality with restrictions and also auditing.
In your case, the apache has no access to /opt/foo. See the link https://superuser.com/questions/607409/configuring-selinux-to-allow-logging-to-a-file-thats-outside-var-log
but use the SELinux type 'httpd_sys_content_t' instead of 'var_log_t'.