From: dsugar@tresys.com (David Sugar)
Date: Wed, 13 Sep 2017 20:34:15 +0000
Subject: [refpolicy] [PATCH 1/1] Add int_rlimit_inherit interface
Message-ID: <1B50C12ACFF4CB42B90D2581155DF50205B5D882@Exchange10.columbia.tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Create new interface init_rlimit_inherit to allow a process started by init to inherit resource limits.  systemd allows for setting of resource limits [1] but the default from SELinux is to not allow the inheritance of those limits as a service is started.  This interface allows that resource limit inheritance.  

The systemd .service options are LimitCPU=, LimitFSIZE=, LimitDATA=, LimitSTACK=, LimitCORE=, LimitRSS=, LimitNOFILE=, LimitAS=, LimitNPROC=, LimitMEMLOCK=, LimitLOCKS=, LimitSIGPENDING=, LimitMSGQUEUE=, LimitNICE=, LimitRTPRIO=, LimitRTTIME=

[1] https://www.freedesktop.org/software/systemd/man/systemd.exec.html

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/system/init.if | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 09a20311..bf6e37bc 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -712,6 +712,29 @@ interface(`init_getpgid',`
 
 ########################################
 ## <summary>
+##	Allow process to inherit resource limits.
+## </summary>
+## <p>
+##	This is applicable with systemd when using the
+##	options to limit resources - see 
+##  https://www.freedesktop.org/software/systemd/man/systemd.exec.html#LimitMSGQUEUE=
+## </p>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_rlimit_inherit',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:process rlimitinh;
+')
+
+########################################
+## <summary>
 ##	Send init a generic signal.
 ## </summary>
 ## <param name="domain">
-- 
2.13.5