Bug 637182 - RFE : Please would you backport the httpd_setrlimit boolean to RHEL 5
Summary: RFE : Please would you backport the httpd_setrlimit boolean to RHEL 5
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-targeted
Version: 5.5
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-09-24 14:39 UTC by Mark Chappell
Modified: 2012-10-16 11:07 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-2.4.6-286.el5
Doc Type: Enhancement
Doc Text:
The "httpd_setrlimit" boolean has been added to allow the httpd service to change its maximum limit of the file descriptors.
Clone Of:
Environment:
Last Closed: 2011-01-13 21:50:29 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:0026 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2011-01-12 16:11:15 UTC

Internal Links: 572175

Description Mark Chappell 2010-09-24 14:39:48 UTC
With RHEL 6 the httpd_setrlimit boolean was added to allow apache httpd and company to change their max file descriptor limits.  Please could we have this boolean backported to RHEL5.

Comment 1 François Cami 2010-09-24 14:53:10 UTC
+1

Comment 2 Miroslav Grepl 2010-10-01 09:09:29 UTC
Fixed in selinux-policy-2.4.6-286.el5.noarch.

Comment 4 Miroslav Grepl 2010-10-01 12:57:33 UTC
Preview release available on 

http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/

Comment 6 François Cami 2010-10-14 12:14:24 UTC
Miroslav,

I've upgraded the following packages:
 selinux-policy-2.4.6-286.el5
 selinux-policy-targeted-2.4.6-286.el5
from http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/

toggled the httpd_setrlimuit boolean to on:
 httpd_setrlimit --> on

However, starting lighttpd with the following line added to lighttpd.conf:
 server.max-fds = 2048

still yields the AVC:
 type=AVC msg=audit(1287058037.298:140): avc:  denied  { sys_resource } for  pid=2394 comm="lighttpd" capability=24 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=capability

even after forcing a system-wide relabel.

I have checked that lighttpd and httpd have the same contexts:
 -rwxr-xr-x root root system_u:object_r:httpd_exec_t /usr/sbin/httpd
 -rwxr-xr-x root root system_u:object_r:httpd_exec_t /usr/sbin/lighttpd

Setting Enforcing to 0 (setenforce 0) allows lighttpd to start normally.

I have just tried on Fedora 13 and the same problem is present there, so I am not sure that the httpd_setrlimit boolean works as expected.

Comment 7 Miroslav Grepl 2010-10-14 12:48:34 UTC
The problem is the boolean just contains the following rule

allow httpd_t self:process setrlimit;


If you execute the following

# grep httpd /var/log/audit/audit.log | audit2allow -M myapache
# semodule -i myapache.pp

does it work in enforcing mode then?

Comment 8 François Cami 2010-10-14 13:01:11 UTC
Thanks for getting back to me so fast.

Indeed, that fixes the problem. Here is myapache.te:
###########################################
module myapache 1.0;

require {
	type httpd_t;
	class capability sys_resource;
}

#============= httpd_t ==============
allow httpd_t self:capability sys_resource;
###########################################

Comment 9 Daniel Walsh 2010-10-14 14:00:32 UTC
Any chance your system is running out of system resources?  IE Disk space > 90% utilized?  Or is lighthttp actually modifying system resources.

/* Override resource limits. Set resource limits. */
/* Override quota limits. */
/* Override reserved space on ext2 filesystem */
/* Modify data journaling mode on ext3 filesystem (uses journaling
   resources) */
/* NOTE: ext2 honors fsuid when checking for resource overrides, so
   you can override using fsuid too */
/* Override size restrictions on IPC message queues */
/* Allow more than 64hz interrupts from the real-time clock */
/* Override max number of consoles on console allocation */
/* Override max number of keymaps */

#define CAP_SYS_RESOURCE     24

Comment 10 Miroslav Grepl 2010-10-14 14:11:04 UTC
I guess it is caused by server.max-fds option.


"As lighttpd is a single-threaded server, its main resource limit is the number of file descriptors, which is set to 1024 by default (on most systems)."

Comment 11 François Cami 2010-10-14 14:44:04 UTC
What I am trying to do is to use lighttpd' server.max-fds, as in:
 server.max-fds = 4096
(the documentation of which is available at http://redmine.lighttpd.net/wiki/1/Server.max-fdsDetails )

There isn't any lack of disk resources:
Filesystem            Size  Used Avail Use% Mounted on
/dev/mapper/alphatauri3-root
                      960M  377M  533M  42% /
/dev/mapper/alphatauri3-home
                      960M   93M  816M  11% /home
/dev/mapper/alphatauri3-tmp
                      720M   17M  665M   3% /tmp
/dev/mapper/alphatauri3-var
                      960M   63M  847M   7% /var
/dev/mapper/alphatauri3-varlibmysql
                      1.9G   88M  1.7G   5% /var/lib/mysql
/dev/mapper/alphatauri3-usr
                      3.8G  971M  2.7G  27% /usr
/dev/mapper/alphatauri3-vartmpcoredump
                      1.9G   67M  1.8G   4% /var/tmp/coredump
/dev/mapper/alphatauri3-varlog
                      3.8G  147M  3.5G   5% /var/log
/dev/mapper/alphatauri3-varcache
                      960M  248M  662M  28% /var/cache
/dev/mapper/alphatauri3-varwww
                      960M   44M  866M   5% /var/www
/dev/vda1             289M   24M  251M   9% /boot
tmpfs                 502M     0  502M   0% /dev/shm

The exact error while starting lighttpd is:
 Starting lighttpd: 2010-10-14 16:10:39: (server.c.715) couldn't set 'max filedescriptors' Operation not permitted 

This is lighttpd-1.4.26-2.el5 from Fedora EPEL.

Comment 12 Daniel Walsh 2010-10-14 19:18:13 UTC
You can add this for now using audit2allow to build your local policy.  But the question is should we give this along with the boolean?  Or should we just make this a local customization?

Comment 13 François Cami 2010-10-14 19:54:11 UTC
Yes Daniel, I use audit2allow to tweak the policy.

My opinion is that Fedora ships lighttpd and this is a well-used feature of that webserver, so Fedora's SELinux policy should cover it.

RHEL may be a different story, since Red Hat doesn't ship lighttpd in RHEL.
But EPEL provides it, and without a working server.max-fds, lighttpd is a bit crippled on RHEL5. I'm all for adding the sys_resource capability in the boolean.

Alternatively, we could include the module in lighttpd's srpm, and ship it alongside the server (much like pure-ftpd does).

Comment 15 Miroslav Grepl 2010-10-15 11:03:54 UTC
(In reply to comment #13)
> Yes Daniel, I use audit2allow to tweak the policy.
> 
> My opinion is that Fedora ships lighttpd and this is a well-used feature of
> that webserver, so Fedora's SELinux policy should cover it.
> 

Sounds reasonably to add it.

> RHEL may be a different story, since Red Hat doesn't ship lighttpd in RHEL.
> But EPEL provides it, and without a working server.max-fds, lighttpd is a bit
> crippled on RHEL5. I'm all for adding the sys_resource capability in the
> boolean.
> 
> Alternatively, we could include the module in lighttpd's srpm, and ship it
> alongside the server (much like pure-ftpd does).

Comment 16 Jaromir Hradilek 2011-01-05 16:20:47 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
The "httpd_setrlimit" boolean has been added to allow the httpd service to change its maximum limit of the file descriptors.

Comment 18 errata-xmlrpc 2011-01-13 21:50:29 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0026.html


Note You need to log in before you can comment on or make changes to this bug.