Description of problem: The default SELinux policy in Fedora 12 does not allow lighttpd to set its own maximum open file descriptors. ########################################### Steps to Reproduce: # yum -y install lighttpd (...) # service lighttpd start Starting lighttpd: [ OK ] # cat /proc/`ps ax | grep lighttpd | grep -v grep | awk -F " " '{print $1}'`/limits |grep "Max open files" Max open files 1024 1024 files # echo "server.max-fds = 2048" >> /etc/lighttpd/lighttpd.conf # service lighttpd restart Stopping lighttpd: [ OK ] Starting lighttpd: 2010-03-09 20:51:28: (server.c.712) couldn't set 'max filedescriptors' Operation not permitted [FAILED] ########################################### Actual results: lighttpd does not start. ########################################### Expected results: lighttpd starts and is able to open 2048 file descriptors. ########################################### Additional info: Creating a SELinux module to allow lighttpd to set its own open fd limit is possible after enabling SELinux silent denials logging. # /usr/sbin/semodule -DB # service auditd restart # service lighttpd restart Stopping lighttpd: [FAILED] Starting lighttpd: 2010-03-09 21:11:28: (server.c.712) couldn't set 'max filedescriptors' Operation not permitted [FAILED] # grep lighttpd /var/log/audit/audit.log | audit2allow -M lighttpdmaxfds2 # semodule -i lighttpdmaxfds2.pp # service lighttpd restart Stopping lighttpd: [FAILED] Starting lighttpd: [ OK ] # cat /proc/`ps ax | grep lighttpd | grep -v grep | awk -F " " '{print $1}'`/limits |grep "Max open files" Max open files 2048 2048 files (success!). ########################################### semodule content: module lighttpdmaxfds2 1.0; require { type httpd_t; class process setrlimit; class capability sys_resource; } #============= httpd_t ============== allow httpd_t self:capability sys_resource; allow httpd_t self:process setrlimit; ########################################### # grep lighttpd /var/log/audit/audit.log type=AVC msg=audit(1268165186.530:57861): avc: denied { setrlimit } for pid=3793 comm="lighttpd" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=process type=SYSCALL msg=audit(1268165186.530:57861): arch=40000003 syscall=75 success=no exit=-13 a0=7 a1=bf87b14c a2=280ff4 a3=3 items=0 ppid=3792 pid=3793 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="lighttpd" exe="/usr/sbin/lighttpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1268165422.052:57869): avc: denied { sys_resource } for pid=3851 comm="lighttpd" capability=24 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=capability type=SYSCALL msg=audit(1268165422.052:57869): arch=40000003 syscall=75 success=no exit=-1 a0=7 a1=bfddb68c a2=36bff4 a3=3 items=0 ppid=3850 pid=3851 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="lighttpd" exe="/usr/sbin/lighttpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1268165488.391:57880): avc: denied { sys_resource } for pid=3916 comm="lighttpd" capability=24 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=capability type=SYSCALL msg=audit(1268165488.391:57880): arch=40000003 syscall=75 success=no exit=-1 a0=7 a1=bfb14d8c a2=4faff4 a3=3 items=0 ppid=3915 pid=3916 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="lighttpd" exe="/usr/sbin/lighttpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
I forgot to say: increasing server.max-fds is advisable when lighttpd is used to serve dynamic content (php, fcgi, etc) for busy domains, as per lighty's documentation: http://redmine.lighttpd.net/wiki/1/Docs:Performance
FYI this is fixed in Fedora 13, with the httpd_setrlimit boolean.
Miroslav can you back port this.
Fixed in selinux-policy-3.6.32-121.fc12
selinux-policy-3.6.32-121.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-121.fc12
selinux-policy-3.6.32-121.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-121.fc12
selinux-policy-3.6.32-121.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.