Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 411149

Summary: sec-policy/selinux-apache-2.20110726-r2: add Allow httpd daemon to change system limits (from Fedora 16)
Product: Gentoo Linux Reporter: Florian Steinel <Florian.Steinel>
Component: HardenedAssignee: Sven Vermeulen (RETIRED) <swift>
Status: VERIFIED FIXED    
Severity: normal CC: selinux
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://pkgs.fedoraproject.org/gitweb/?p=selinux-policy.git;a=blob;f=policy-F16.patch;h=09afdb9104715879ec6b7cbf16026b2e34b5fe83;hb=HEAD#l26518
Whiteboard: sec-policy r8
Package list:
Runtime testing required: ---

Description Florian Steinel 2012-04-07 14:33:46 UTC 
lighttpd fails to start if selinux is in enforcing mode and server.max-fds is set in /etc/lighttpd/lighttpd.conf .

From http://pkgs.fedoraproject.org/gitweb/?p=lighttpd.git;a=blob;f=lighttpd-1.4.28-defaultconf.patch;h=a7ade510cfe02d596b4177331e09a43f4cb44af3;hb=HEAD :
With SELinux enabled, this is denied by default and needs to be allowed
by running the following once : setsebool -P httpd_setrlimit on

httpd_setrlimit is defined in $URL.
Please add the fedora patch for the httpd_setrlimit to sec-policy/selinux-apache.

## <desc>
##     <p>
##     Allow httpd daemon to change system limits
##     </p>
## </desc>
gen_tunable(httpd_setrlimit, false)

tunable_policy(`httpd_setrlimit',`
       allow httpd_t self:process setrlimit;
       allow httpd_t self:capability sys_resource;
')

The files/conf/lighttpd.conf from www-servers/lighttpd differ from lighttpd upstream so the fedora patch doesn't apply :-(


Reproducible: Always
Comment 1 Sven Vermeulen (RETIRED) gentoo-dev 2012-04-18 20:56:24 UTC 
I don't agree with its description. Afaik, setrlimit doesn't allow changing system limits, but changing /its/ resource limits (only of the target domain, which is self - so httpd_t here).
Comment 2 Sven Vermeulen (RETIRED) gentoo-dev 2012-04-18 21:03:56 UTC 
Will be in -r8, but I'm feeling somewhat reserved on this one.

If it gets accepted upstream, it's good. But if not (because it is too specific) we might go and have users update their policy locally instead. It's a small local policy change anyhow.
Comment 3 Sven Vermeulen (RETIRED) gentoo-dev 2012-04-22 08:37:01 UTC 
In hardened-dev overlay
Comment 4 Sven Vermeulen (RETIRED) gentoo-dev 2012-04-26 18:40:48 UTC 
In main tree, ~arch'ed
Comment 5 Sven Vermeulen (RETIRED) gentoo-dev 2012-07-30 16:38:48 UTC 
Stabilized