Bug 637182
Summary: | RFE : Please would you backport the httpd_setrlimit boolean to RHEL 5 | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Mark Chappell <tremble> |
Component: | selinux-policy-targeted | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 5.5 | CC: | dwalsh, ebenes, fcami, fdc, mmalik, syeghiay |
Target Milestone: | rc | Keywords: | FutureFeature |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-2.4.6-286.el5 | Doc Type: | Enhancement |
Doc Text: |
The "httpd_setrlimit" boolean has been added to allow the httpd service to change its maximum limit of the file descriptors.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2011-01-13 21:50:29 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Mark Chappell
2010-09-24 14:39:48 UTC
+1 Fixed in selinux-policy-2.4.6-286.el5.noarch. Preview release available on http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/ Miroslav, I've upgraded the following packages: selinux-policy-2.4.6-286.el5 selinux-policy-targeted-2.4.6-286.el5 from http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/ toggled the httpd_setrlimuit boolean to on: httpd_setrlimit --> on However, starting lighttpd with the following line added to lighttpd.conf: server.max-fds = 2048 still yields the AVC: type=AVC msg=audit(1287058037.298:140): avc: denied { sys_resource } for pid=2394 comm="lighttpd" capability=24 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=capability even after forcing a system-wide relabel. I have checked that lighttpd and httpd have the same contexts: -rwxr-xr-x root root system_u:object_r:httpd_exec_t /usr/sbin/httpd -rwxr-xr-x root root system_u:object_r:httpd_exec_t /usr/sbin/lighttpd Setting Enforcing to 0 (setenforce 0) allows lighttpd to start normally. I have just tried on Fedora 13 and the same problem is present there, so I am not sure that the httpd_setrlimit boolean works as expected. The problem is the boolean just contains the following rule allow httpd_t self:process setrlimit; If you execute the following # grep httpd /var/log/audit/audit.log | audit2allow -M myapache # semodule -i myapache.pp does it work in enforcing mode then? Thanks for getting back to me so fast. Indeed, that fixes the problem. Here is myapache.te: ########################################### module myapache 1.0; require { type httpd_t; class capability sys_resource; } #============= httpd_t ============== allow httpd_t self:capability sys_resource; ########################################### Any chance your system is running out of system resources? IE Disk space > 90% utilized? Or is lighthttp actually modifying system resources. /* Override resource limits. Set resource limits. */ /* Override quota limits. */ /* Override reserved space on ext2 filesystem */ /* Modify data journaling mode on ext3 filesystem (uses journaling resources) */ /* NOTE: ext2 honors fsuid when checking for resource overrides, so you can override using fsuid too */ /* Override size restrictions on IPC message queues */ /* Allow more than 64hz interrupts from the real-time clock */ /* Override max number of consoles on console allocation */ /* Override max number of keymaps */ #define CAP_SYS_RESOURCE 24 I guess it is caused by server.max-fds option. "As lighttpd is a single-threaded server, its main resource limit is the number of file descriptors, which is set to 1024 by default (on most systems)." What I am trying to do is to use lighttpd' server.max-fds, as in: server.max-fds = 4096 (the documentation of which is available at http://redmine.lighttpd.net/wiki/1/Server.max-fdsDetails ) There isn't any lack of disk resources: Filesystem Size Used Avail Use% Mounted on /dev/mapper/alphatauri3-root 960M 377M 533M 42% / /dev/mapper/alphatauri3-home 960M 93M 816M 11% /home /dev/mapper/alphatauri3-tmp 720M 17M 665M 3% /tmp /dev/mapper/alphatauri3-var 960M 63M 847M 7% /var /dev/mapper/alphatauri3-varlibmysql 1.9G 88M 1.7G 5% /var/lib/mysql /dev/mapper/alphatauri3-usr 3.8G 971M 2.7G 27% /usr /dev/mapper/alphatauri3-vartmpcoredump 1.9G 67M 1.8G 4% /var/tmp/coredump /dev/mapper/alphatauri3-varlog 3.8G 147M 3.5G 5% /var/log /dev/mapper/alphatauri3-varcache 960M 248M 662M 28% /var/cache /dev/mapper/alphatauri3-varwww 960M 44M 866M 5% /var/www /dev/vda1 289M 24M 251M 9% /boot tmpfs 502M 0 502M 0% /dev/shm The exact error while starting lighttpd is: Starting lighttpd: 2010-10-14 16:10:39: (server.c.715) couldn't set 'max filedescriptors' Operation not permitted This is lighttpd-1.4.26-2.el5 from Fedora EPEL. You can add this for now using audit2allow to build your local policy. But the question is should we give this along with the boolean? Or should we just make this a local customization? Yes Daniel, I use audit2allow to tweak the policy. My opinion is that Fedora ships lighttpd and this is a well-used feature of that webserver, so Fedora's SELinux policy should cover it. RHEL may be a different story, since Red Hat doesn't ship lighttpd in RHEL. But EPEL provides it, and without a working server.max-fds, lighttpd is a bit crippled on RHEL5. I'm all for adding the sys_resource capability in the boolean. Alternatively, we could include the module in lighttpd's srpm, and ship it alongside the server (much like pure-ftpd does). (In reply to comment #13) > Yes Daniel, I use audit2allow to tweak the policy. > > My opinion is that Fedora ships lighttpd and this is a well-used feature of > that webserver, so Fedora's SELinux policy should cover it. > Sounds reasonably to add it. > RHEL may be a different story, since Red Hat doesn't ship lighttpd in RHEL. > But EPEL provides it, and without a working server.max-fds, lighttpd is a bit > crippled on RHEL5. I'm all for adding the sys_resource capability in the > boolean. > > Alternatively, we could include the module in lighttpd's srpm, and ship it > alongside the server (much like pure-ftpd does). Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: The "httpd_setrlimit" boolean has been added to allow the httpd service to change its maximum limit of the file descriptors. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0026.html |