From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Fri, 20 Apr 2012 17:45:15 +0200
Subject: [refpolicy] [PATCH 1/1] Allow httpd_t to change its system resources
Message-ID: <20120420154515.GA4718@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

When using lighttpd and server.max-fds is set, then the httpd_t domain requires the setrlimit (process) and sys_resource
(capability) privileges. As per fedora's (and now also Gentoo's) implementation we support this through a boolean called
"httpd_setrlimit" which is by default off).

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 apache.te |   12 ++++++++++++
 1 files changed, 12 insertions(+), 0 deletions(-)

diff --git a/apache.te b/apache.te
index 5b02edb..dfd3ca7 100644
--- a/apache.te
+++ b/apache.te
@@ -100,6 +100,13 @@ gen_tunable(httpd_enable_homedirs, false)
 
 ## <desc>
 ## <p>
+## Allow httpd daemon to change its resource limits
+## </p>
+## </desc>
+gen_tunable(httpd_setrlimit, false)
+
+## <desc>
+## <p>
 ## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
 ## </p>
 ## </desc>
@@ -487,6 +494,11 @@ tunable_policy(`httpd_can_sendmail',`
 	mta_send_mail(httpd_t)
 ')
 
+tunable_policy(`httpd_setrlimit',`
+	allow httpd_t self:process setrlimit;
+	allow httpd_t self:capability sys_resource;
+')
+
 tunable_policy(`httpd_ssi_exec',`
 	corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
 	allow httpd_sys_script_t httpd_t:fd use;
-- 
1.7.3.4