From: dac.override@gmail.com (Dominick Grift)
Date: Thu, 14 Sep 2017 16:13:34 +0200
Subject: [refpolicy] [PATCH 1/1] Add int_rlimit_inherit interface
In-Reply-To: <1B50C12ACFF4CB42B90D2581155DF50205B5ECA2@Exchange10.columbia.tresys.com>
References: <1B50C12ACFF4CB42B90D2581155DF50205B5D882@Exchange10.columbia.tresys.com>
	<20170914080744.GA17010@julius.enp8s0.d30>
	<20170914082010.GB17010@julius.enp8s0.d30>
	<1B50C12ACFF4CB42B90D2581155DF50205B5ECA2@Exchange10.columbia.tresys.com>
Message-ID: <20170914141334.GC17010@julius.enp8s0.d30>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Thu, Sep 14, 2017 at 01:45:19PM +0000, David Sugar via refpolicy wrote:
> 
> ________________________________________
> From: refpolicy-bounces at oss.tresys.com [refpolicy-bounces at oss.tresys.com] on behalf of Dominick Grift via refpolicy [refpolicy at oss.tresys.com]
> Sent: Thursday, September 14, 2017 4:20 AM
> To: refpolicy at oss.tresys.com
> Subject: Re: [refpolicy] [PATCH 1/1] Add int_rlimit_inherit interface
> 
> On Thu, Sep 14, 2017 at 10:07:44AM +0200, Dominick Grift wrote:
> > On Wed, Sep 13, 2017 at 08:34:15PM +0000, David Sugar via refpolicy wrote:
> > > Create new interface init_rlimit_inherit to allow a process started by init to inherit resource limits.  systemd allows for setting of resource limits [1] but the default from SELinux is to not allow the inheritance of those limits as a service is started.  This interface allows that resource limit inheritance.
> > >
> > > The systemd .service options are LimitCPU=, LimitFSIZE=, LimitDATA=, LimitSTACK=, LimitCORE=, LimitRSS=, LimitNOFILE=, LimitAS=, LimitNPROC=, LimitMEMLOCK=, LimitLOCKS=, LimitSIGPENDING=, LimitMSGQUEUE=, LimitNICE=, LimitRTPRIO=, LimitRTTIME=
> > >
> > > [1] https://www.freedesktop.org/software/systemd/man/systemd.exec.html
> >
> > Have you tested this?
> >
> > I just tried this out and i do not seem to need this to get it to work:
> >
> > https://www.youtube.com/watch?v=f8nFGbMBG0s
> >
> > Instead systemd needs to be able to "setrlimit" (and probably getsched/setsched) on its children i suspect
> 
> I tested this in the use case that I am working with.  I am setting LimitMSGQUEUE=infinity in my .service file.  The service is starting a c++ binary which is creating a message queue (using mq_open) with a fairly large message queue size. 
> I was getting failures to create the message queue (I'm pretty sure the error was EMFILE - I don't have the error message returned from mq_open handy any longer I can rebuild the policy and retest if you would like).
> Once I added this permission (and only this one change) the error went away.  

I can't produce this:

https://www.youtube.com/watch?v=yRcyBQfkKoE

> 
> I did watch your video and I'm not sure what the difference is between the two cases.  I don't know if making it a bash script is somehow making a difference (I don't know why it would)?
> 
> I am also using the SELinuxContext= option to explicitly set the target domain.  I also don't think this would make a difference, but I wanted to mention it.
> 
> Dave Sugar
>  
> >
> > >
> > > Signed-off-by: Dave Sugar <dsugar@tresys.com>
> > > ---
> > >  policy/modules/system/init.if | 23 +++++++++++++++++++++++
> > >  1 file changed, 23 insertions(+)
> > >
> > > diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> > > index 09a20311..bf6e37bc 100644
> > > --- a/policy/modules/system/init.if
> > > +++ b/policy/modules/system/init.if
> > > @@ -712,6 +712,29 @@ interface(`init_getpgid',`
> > >
> > >  ########################################
> > >  ## <summary>
> > > +## Allow process to inherit resource limits.
> > > +## </summary>
> > > +## <p>
> > > +## This is applicable with systemd when using the
> > > +## options to limit resources - see
> > > +##  https://www.freedesktop.org/software/systemd/man/systemd.exec.html#LimitMSGQUEUE=
> > > +## </p>
> > > +## <param name="domain">
> > > +## <summary>
> > > +## Domain allowed access.
> > > +## </summary>
> > > +## </param>
> > > +#
> > > +interface(`init_rlimit_inherit',`
> > > +   gen_require(`
> > > +           type init_t;
> > > +   ')
> > > +
> > > +   allow $1 init_t:process rlimitinh;
> > > +')
> > > +
> > > +########################################
> > > +## <summary>
> > >  ## Send init a generic signal.
> > >  ## </summary>
> > >  ## <param name="domain">
> > > --
> > > 2.13.5
> > > _______________________________________________
> > > refpolicy mailing list
> > > refpolicy at oss.tresys.com
> > > http://oss.tresys.com/mailman/listinfo/refpolicy
> >
> > --
> > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
> > https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
> > Dominick Grift
> 
> 
> 
> --
> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
> Dominick Grift
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170914/94e70097/attachment.bin