From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Fri, 4 May 2012 08:44:44 -0400
Subject: [refpolicy] [PATCH 1/1] Allow httpd_t to change its system
	resources
In-Reply-To: <20120420154515.GA4718@siphos.be>
References: <20120420154515.GA4718@siphos.be>
Message-ID: <4FA3CF3C.4020809@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 04/20/12 11:45, Sven Vermeulen wrote:
> When using lighttpd and server.max-fds is set, then the httpd_t domain requires the setrlimit (process) and sys_resource
> (capability) privileges. As per fedora's (and now also Gentoo's) implementation we support this through a boolean called
> "httpd_setrlimit" which is by default off).

Merged.

> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  apache.te |   12 ++++++++++++
>  1 files changed, 12 insertions(+), 0 deletions(-)
> 
> diff --git a/apache.te b/apache.te
> index 5b02edb..dfd3ca7 100644
> --- a/apache.te
> +++ b/apache.te
> @@ -100,6 +100,13 @@ gen_tunable(httpd_enable_homedirs, false)
>  
>  ## <desc>
>  ## <p>
> +## Allow httpd daemon to change its resource limits
> +## </p>
> +## </desc>
> +gen_tunable(httpd_setrlimit, false)
> +
> +## <desc>
> +## <p>
>  ## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
>  ## </p>
>  ## </desc>
> @@ -487,6 +494,11 @@ tunable_policy(`httpd_can_sendmail',`
>  	mta_send_mail(httpd_t)
>  ')
>  
> +tunable_policy(`httpd_setrlimit',`
> +	allow httpd_t self:process setrlimit;
> +	allow httpd_t self:capability sys_resource;
> +')
> +
>  tunable_policy(`httpd_ssi_exec',`
>  	corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
>  	allow httpd_sys_script_t httpd_t:fd use;


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com