From: pebenito@ieee.org (Chris PeBenito)
Date: Wed, 13 Sep 2017 18:57:05 -0400
Subject: [refpolicy] [PATCH 1/1] Add int_rlimit_inherit interface
In-Reply-To: <1B50C12ACFF4CB42B90D2581155DF50205B5D882@Exchange10.columbia.tresys.com>
References: <1B50C12ACFF4CB42B90D2581155DF50205B5D882@Exchange10.columbia.tresys.com>
Message-ID: <5da28c67-f885-12b1-26d2-028dc87f2a0e@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 09/13/2017 04:34 PM, David Sugar via refpolicy wrote:
> Create new interface init_rlimit_inherit to allow a process started by init to inherit resource limits.  systemd allows for setting of resource limits [1] but the default from SELinux is to not allow the inheritance of those limits as a service is started.  This interface allows that resource limit inheritance.
> 
> The systemd .service options are LimitCPU=, LimitFSIZE=, LimitDATA=, LimitSTACK=, LimitCORE=, LimitRSS=, LimitNOFILE=, LimitAS=, LimitNPROC=, LimitMEMLOCK=, LimitLOCKS=, LimitSIGPENDING=, LimitMSGQUEUE=, LimitNICE=, LimitRTPRIO=, LimitRTTIME=
> 
> [1] https://www.freedesktop.org/software/systemd/man/systemd.exec.html
> 
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
>   policy/modules/system/init.if | 23 +++++++++++++++++++++++
>   1 file changed, 23 insertions(+)
> 
> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> index 09a20311..bf6e37bc 100644
> --- a/policy/modules/system/init.if
> +++ b/policy/modules/system/init.if
> @@ -712,6 +712,29 @@ interface(`init_getpgid',`
>   
>   ########################################
>   ## <summary>
> +##	Allow process to inherit resource limits.
> +## </summary>
> +## <p>
> +##	This is applicable with systemd when using the
> +##	options to limit resources - see
> +##  https://www.freedesktop.org/software/systemd/man/systemd.exec.html#LimitMSGQUEUE=
> +## </p>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`init_rlimit_inherit',`

Merged, though I renamed this to init_inherit_rlimit().



> +	gen_require(`
> +		type init_t;
> +	')
> +
> +	allow $1 init_t:process rlimitinh;
> +')
> +
> +########################################
> +## <summary>
>   ##	Send init a generic signal.
>   ## </summary>
>   ## <param name="domain">
> 


-- 
Chris PeBenito