Summary: | sec-policy/selinux-apache-2.20110726-r2: add Allow httpd daemon to change system limits (from Fedora 16) | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Florian Steinel <Florian.Steinel> |
Component: | Hardened | Assignee: | Sven Vermeulen (RETIRED) <swift> |
Status: | VERIFIED FIXED | ||
Severity: | normal | CC: | selinux |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://pkgs.fedoraproject.org/gitweb/?p=selinux-policy.git;a=blob;f=policy-F16.patch;h=09afdb9104715879ec6b7cbf16026b2e34b5fe83;hb=HEAD#l26518 | ||
Whiteboard: | sec-policy r8 | ||
Package list: | Runtime testing required: | --- |
Description
Florian Steinel
2012-04-07 14:33:46 UTC
I don't agree with its description. Afaik, setrlimit doesn't allow changing system limits, but changing /its/ resource limits (only of the target domain, which is self - so httpd_t here). Will be in -r8, but I'm feeling somewhat reserved on this one. If it gets accepted upstream, it's good. But if not (because it is too specific) we might go and have users update their policy locally instead. It's a small local policy change anyhow. In hardened-dev overlay In main tree, ~arch'ed Stabilized |