lighttpd fails to start if selinux is in enforcing mode and server.max-fds is set in /etc/lighttpd/lighttpd.conf . From http://pkgs.fedoraproject.org/gitweb/?p=lighttpd.git;a=blob;f=lighttpd-1.4.28-defaultconf.patch;h=a7ade510cfe02d596b4177331e09a43f4cb44af3;hb=HEAD : With SELinux enabled, this is denied by default and needs to be allowed by running the following once : setsebool -P httpd_setrlimit on httpd_setrlimit is defined in $URL. Please add the fedora patch for the httpd_setrlimit to sec-policy/selinux-apache. ## <desc> ## <p> ## Allow httpd daemon to change system limits ## </p> ## </desc> gen_tunable(httpd_setrlimit, false) tunable_policy(`httpd_setrlimit',` allow httpd_t self:process setrlimit; allow httpd_t self:capability sys_resource; ') The files/conf/lighttpd.conf from www-servers/lighttpd differ from lighttpd upstream so the fedora patch doesn't apply :-( Reproducible: Always
I don't agree with its description. Afaik, setrlimit doesn't allow changing system limits, but changing /its/ resource limits (only of the target domain, which is self - so httpd_t here).
Will be in -r8, but I'm feeling somewhat reserved on this one. If it gets accepted upstream, it's good. But if not (because it is too specific) we might go and have users update their policy locally instead. It's a small local policy change anyhow.
In hardened-dev overlay
In main tree, ~arch'ed
Stabilized