From: dsugar@tresys.com (David Sugar) Date: Wed, 13 Sep 2017 20:34:15 +0000 Subject: [refpolicy] [PATCH 1/1] Add int_rlimit_inherit interface Message-ID: <1B50C12ACFF4CB42B90D2581155DF50205B5D882@Exchange10.columbia.tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Create new interface init_rlimit_inherit to allow a process started by init to inherit resource limits. systemd allows for setting of resource limits [1] but the default from SELinux is to not allow the inheritance of those limits as a service is started. This interface allows that resource limit inheritance. The systemd .service options are LimitCPU=, LimitFSIZE=, LimitDATA=, LimitSTACK=, LimitCORE=, LimitRSS=, LimitNOFILE=, LimitAS=, LimitNPROC=, LimitMEMLOCK=, LimitLOCKS=, LimitSIGPENDING=, LimitMSGQUEUE=, LimitNICE=, LimitRTPRIO=, LimitRTTIME= [1] https://www.freedesktop.org/software/systemd/man/systemd.exec.html Signed-off-by: Dave Sugar --- policy/modules/system/init.if | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index 09a20311..bf6e37bc 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -712,6 +712,29 @@ interface(`init_getpgid',` ######################################## ## +## Allow process to inherit resource limits. +## +##

+## This is applicable with systemd when using the +## options to limit resources - see +## https://www.freedesktop.org/software/systemd/man/systemd.exec.html#LimitMSGQUEUE= +##

+## +## +## Domain allowed access. +## +## +# +interface(`init_rlimit_inherit',` + gen_require(` + type init_t; + ') + + allow $1 init_t:process rlimitinh; +') + +######################################## +## ## Send init a generic signal. ## ## -- 2.13.5