Bug 572175
Summary: | lighttpd's server.max-fds conflicts with SELinux policy | ||
---|---|---|---|
Product: | [Fedora] Fedora EPEL | Reporter: | François Cami <fcami> |
Component: | lighttpd | Assignee: | Matthias Saou <matthias> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | el5 | CC: | dwalsh, fcami, fdc, matthias, tremble |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | 571924 | Environment: | |
Last Closed: | 2011-07-11 14:22:01 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
François Cami
2010-03-10 13:34:54 UTC
This isn't really a bug in lighttpd. Both lighttpd and SELinux are functioning as they should, and this isn't a default setting in EPEL that's breaking things. Modifying the SELinux policy for http_t *really* should not be done in EPEL. If you need this functionality in RHEL 5 I suggest you file an RFE against SELinux policy on RHEL for them to backport the httpd_setrlimit boolean into RHEL 5. It is fairly easy to add this rule using audit2allow to build a custom policy. Daniel, Yes, definitely. Thank you. Dan, would that really be something that it's appropriate for an EPEL package to do though? Easy, yes, but modifying the SELinux policy to allow something that's blocked for httpd_t for a good reason? Okay, so I had a short conversation with Daniel on IRC The suggestion is to file an RFE on the selinux-policy for that boolean to get backported (I'll do that) and to create a README.Fedora (or possibly README.epel) explaining how to enable it for now with a local policy. Note: Preview release of the appropriate SELinux modification has been made available from http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/ I'm going to close this, as it's not really meant to be against lighttpd in the first place anyway. I am including minor changes in the 1.4.28 packages to make this problem easier to handle, though : * The server.max-fds line of the configuration is commented out by default, in order to make lighttpd work "out of the box" : Normal sized installs should work just fine now. * For anyone requiring a higher number of connections, the following has been added to the default configuration file in order to know why just changing server.max-fds won't be enough : ## With SELinux enabled, this is denied by default and needs to be allowed ## by running the following once : setsebool -P httpd_setrlimit on #server.max-fds = 2048 I've tested on F14 and EL6 and it works fine. I'm unsure about EL5.6. I expect to be making more changes to the lighttpd package over the next few days (F15 systemd service file), but once all changes are done and tested, I'll push 1.4.28 updates to most branches (EL ones included, in testing). |