Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 411149 - sec-policy/selinux-apache-2.20110726-r2: add Allow httpd daemon to change system limits (from Fedora 16)
Summary: sec-policy/selinux-apache-2.20110726-r2: add Allow httpd daemon to change sys...
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Hardened (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Sven Vermeulen (RETIRED)
Whiteboard: sec-policy r8
Depends on:
Reported: 2012-04-07 14:33 UTC by Florian Steinel
Modified: 2012-07-30 16:38 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Florian Steinel 2012-04-07 14:33:46 UTC
lighttpd fails to start if selinux is in enforcing mode and server.max-fds is set in /etc/lighttpd/lighttpd.conf .

From;a=blob;f=lighttpd-1.4.28-defaultconf.patch;h=a7ade510cfe02d596b4177331e09a43f4cb44af3;hb=HEAD :
With SELinux enabled, this is denied by default and needs to be allowed
by running the following once : setsebool -P httpd_setrlimit on

httpd_setrlimit is defined in $URL.
Please add the fedora patch for the httpd_setrlimit to sec-policy/selinux-apache.

## <desc>
##     <p>
##     Allow httpd daemon to change system limits
##     </p>
## </desc>
gen_tunable(httpd_setrlimit, false)

       allow httpd_t self:process setrlimit;
       allow httpd_t self:capability sys_resource;

The files/conf/lighttpd.conf from www-servers/lighttpd differ from lighttpd upstream so the fedora patch doesn't apply :-(

Reproducible: Always
Comment 1 Sven Vermeulen (RETIRED) gentoo-dev 2012-04-18 20:56:24 UTC
I don't agree with its description. Afaik, setrlimit doesn't allow changing system limits, but changing /its/ resource limits (only of the target domain, which is self - so httpd_t here).
Comment 2 Sven Vermeulen (RETIRED) gentoo-dev 2012-04-18 21:03:56 UTC
Will be in -r8, but I'm feeling somewhat reserved on this one.

If it gets accepted upstream, it's good. But if not (because it is too specific) we might go and have users update their policy locally instead. It's a small local policy change anyhow.
Comment 3 Sven Vermeulen (RETIRED) gentoo-dev 2012-04-22 08:37:01 UTC
In hardened-dev overlay
Comment 4 Sven Vermeulen (RETIRED) gentoo-dev 2012-04-26 18:40:48 UTC
In main tree, ~arch'ed
Comment 5 Sven Vermeulen (RETIRED) gentoo-dev 2012-07-30 16:38:48 UTC