Bug 571924
| Summary: | lighttpd's server.max-fds conflicts with SELinux policy | |||
|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | François Cami <contribs> | |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | low | |||
| Version: | 12 | CC: | contribs, dwalsh, fcami, matthias, mgrepl | |
| Target Milestone: | --- | |||
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | selinux-policy-3.6.32-121.fc12 | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 572175 (view as bug list) | Environment: | ||
| Last Closed: | 2010-08-26 00:57:24 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
I forgot to say: increasing server.max-fds is advisable when lighttpd is used to serve dynamic content (php, fcgi, etc) for busy domains, as per lighty's documentation: http://redmine.lighttpd.net/wiki/1/Docs:Performance FYI this is fixed in Fedora 13, with the httpd_setrlimit boolean. Miroslav can you back port this. Fixed in selinux-policy-3.6.32-121.fc12 selinux-policy-3.6.32-121.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-121.fc12 selinux-policy-3.6.32-121.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-121.fc12 selinux-policy-3.6.32-121.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: The default SELinux policy in Fedora 12 does not allow lighttpd to set its own maximum open file descriptors. ########################################### Steps to Reproduce: # yum -y install lighttpd (...) # service lighttpd start Starting lighttpd: [ OK ] # cat /proc/`ps ax | grep lighttpd | grep -v grep | awk -F " " '{print $1}'`/limits |grep "Max open files" Max open files 1024 1024 files # echo "server.max-fds = 2048" >> /etc/lighttpd/lighttpd.conf # service lighttpd restart Stopping lighttpd: [ OK ] Starting lighttpd: 2010-03-09 20:51:28: (server.c.712) couldn't set 'max filedescriptors' Operation not permitted [FAILED] ########################################### Actual results: lighttpd does not start. ########################################### Expected results: lighttpd starts and is able to open 2048 file descriptors. ########################################### Additional info: Creating a SELinux module to allow lighttpd to set its own open fd limit is possible after enabling SELinux silent denials logging. # /usr/sbin/semodule -DB # service auditd restart # service lighttpd restart Stopping lighttpd: [FAILED] Starting lighttpd: 2010-03-09 21:11:28: (server.c.712) couldn't set 'max filedescriptors' Operation not permitted [FAILED] # grep lighttpd /var/log/audit/audit.log | audit2allow -M lighttpdmaxfds2 # semodule -i lighttpdmaxfds2.pp # service lighttpd restart Stopping lighttpd: [FAILED] Starting lighttpd: [ OK ] # cat /proc/`ps ax | grep lighttpd | grep -v grep | awk -F " " '{print $1}'`/limits |grep "Max open files" Max open files 2048 2048 files (success!). ########################################### semodule content: module lighttpdmaxfds2 1.0; require { type httpd_t; class process setrlimit; class capability sys_resource; } #============= httpd_t ============== allow httpd_t self:capability sys_resource; allow httpd_t self:process setrlimit; ########################################### # grep lighttpd /var/log/audit/audit.log type=AVC msg=audit(1268165186.530:57861): avc: denied { setrlimit } for pid=3793 comm="lighttpd" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=process type=SYSCALL msg=audit(1268165186.530:57861): arch=40000003 syscall=75 success=no exit=-13 a0=7 a1=bf87b14c a2=280ff4 a3=3 items=0 ppid=3792 pid=3793 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="lighttpd" exe="/usr/sbin/lighttpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1268165422.052:57869): avc: denied { sys_resource } for pid=3851 comm="lighttpd" capability=24 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=capability type=SYSCALL msg=audit(1268165422.052:57869): arch=40000003 syscall=75 success=no exit=-1 a0=7 a1=bfddb68c a2=36bff4 a3=3 items=0 ppid=3850 pid=3851 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="lighttpd" exe="/usr/sbin/lighttpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1268165488.391:57880): avc: denied { sys_resource } for pid=3916 comm="lighttpd" capability=24 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=capability type=SYSCALL msg=audit(1268165488.391:57880): arch=40000003 syscall=75 success=no exit=-1 a0=7 a1=bfb14d8c a2=4faff4 a3=3 items=0 ppid=3915 pid=3916 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="lighttpd" exe="/usr/sbin/lighttpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)