+++ This bug was initially created as a clone of Bug #571924 +++ Verified on up-to-date RHEL 5.4 + EPEL as of 2010-03-09 Description of problem: The default SELinux policy in Fedora 12 does not allow lighttpd to set its own maximum open file descriptors. Increasing server.max-fds is advisable when lighttpd is used to serve dynamic content (php, fcgi, etc) for busy domains, as per lighty's documentation: http://redmine.lighttpd.net/wiki/1/Docs:Performance ########################################### Steps to Reproduce: # yum -y install lighttpd (...) # service lighttpd start # echo "server.max-fds = 2048" >> /etc/lighttpd/lighttpd.conf # service lighttpd restart Stopping lighttpd: [ OK ] Starting lighttpd: (...) couldn't set 'max filedescriptors' Operation not permitted [FAILED] ########################################### Actual results: lighttpd does not start. ########################################### Expected results: lighttpd starts and is able to open 2048 file descriptors. ########################################### Additional info: Creating a SELinux module to allow lighttpd to set its own open fd limit is possible after enabling SELinux silent denials logging. # /usr/sbin/semodule -DB # service auditd restart # service lighttpd restart Stopping lighttpd: [FAILED] Starting lighttpd: (...) couldn't set 'max filedescriptors' Operation not permitted [FAILED] # grep lighttpd /var/log/audit/audit.log | audit2allow -M lighttpdmaxfds2 # semodule -i lighttpdmaxfds2.pp # service lighttpd restart Stopping lighttpd: [FAILED] Starting lighttpd: [ OK ] # cat /proc/`ps ax | grep lighttpd | grep -v grep | awk -F " " '{print $1}'`/limits |grep "Max open files" Max open files 2048 2048 files (success!). ###########################################
This isn't really a bug in lighttpd. Both lighttpd and SELinux are functioning as they should, and this isn't a default setting in EPEL that's breaking things. Modifying the SELinux policy for http_t *really* should not be done in EPEL. If you need this functionality in RHEL 5 I suggest you file an RFE against SELinux policy on RHEL for them to backport the httpd_setrlimit boolean into RHEL 5.
It is fairly easy to add this rule using audit2allow to build a custom policy.
Daniel, Yes, definitely. Thank you.
Dan, would that really be something that it's appropriate for an EPEL package to do though? Easy, yes, but modifying the SELinux policy to allow something that's blocked for httpd_t for a good reason?
Okay, so I had a short conversation with Daniel on IRC The suggestion is to file an RFE on the selinux-policy for that boolean to get backported (I'll do that) and to create a README.Fedora (or possibly README.epel) explaining how to enable it for now with a local policy.
Note: Preview release of the appropriate SELinux modification has been made available from http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/
I'm going to close this, as it's not really meant to be against lighttpd in the first place anyway. I am including minor changes in the 1.4.28 packages to make this problem easier to handle, though : * The server.max-fds line of the configuration is commented out by default, in order to make lighttpd work "out of the box" : Normal sized installs should work just fine now. * For anyone requiring a higher number of connections, the following has been added to the default configuration file in order to know why just changing server.max-fds won't be enough : ## With SELinux enabled, this is denied by default and needs to be allowed ## by running the following once : setsebool -P httpd_setrlimit on #server.max-fds = 2048 I've tested on F14 and EL6 and it works fine. I'm unsure about EL5.6. I expect to be making more changes to the lighttpd package over the next few days (F15 systemd service file), but once all changes are done and tested, I'll push 1.4.28 updates to most branches (EL ones included, in testing).