When a web script (e.g. PHP) wants to make a child process run more gracefully and take less resources (by running it through 'nice'), it's actually prohibited from doing so since 'setsched' is forbidden in the SELinux targeted policy. It might make some slight sense to forbid setsched which increases priority (though this already shouldn't happen since httpd doesn't run as root), but forbidding setsched which decreases priority is counterproductive. Therefore, lowering-priority setsched should be allowed for httpd_sys_script_t. (If this doesn't make sense for RHEL4, on which I've tested it, please move it to Fedora instead.)
Fixed in 1.17.30-2.142
Can you reproduce this with the following RPM: http://people.redhat.com/dwalsh/SELinux/RHEL4/u5/noarch/selinux-policy-targeted-1.17.30-2.143.noarch.rpm
With your RPM, I'm still getting this: audit(1174642628.187:1078844): avc: denied { execute } for pid=28636 comm="nice" name="convert" dev=dm-0 ino=8236887 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:httpd_unconfined_script_exec_t tclass=file (trying to execute ImageMagick's convert)
This is a different problem. And looks like you should be running your original script as httpd_unconfined_script_exec_t. Not just the end one. The avc indicates one cgi running as httpd_sys_script_t (The default for cgi scripts) is trying to execute a script labeled httpd_unconfined_script_exec_t. So I believe that your end goal is to run an unconfined cgi. The original script should be labeled httpd_unconfined_script_exec_t.
You are right. My /usr/bin/convert (ImageMagick) was erroneously labeled as httpd_unconfined_script_exec_t. After relabeling it to bin_t, everything (i.e. running it with "nice") works fine. Thanks.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2007-0171.html