From: dsugar@tresys.com (David Sugar) Date: Thu, 21 Sep 2017 05:08:14 +0000 Subject: [refpolicy] [PATCH 1/1] remove interface init_inherit_rlimit Message-ID: <1B50C12ACFF4CB42B90D2581155DF50205B7BEA4@Exchange10.columbia.tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Remove the interface init_inherit_rlimit and always allow rlimitinh permissions for daemon processes started by systemd. Signed-off-by: Dave Sugar --- policy/modules/system/init.if | 27 ++------------------------- 1 file changed, 2 insertions(+), 25 deletions(-) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index 303bd067..0caac118 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -132,6 +132,7 @@ interface(`init_domain',` ifdef(`init_systemd',` allow $1 init_t:unix_stream_socket { getattr read write ioctl }; + allow init_t $1:process rlimitinh; allow init_t $1:process2 { nnp_transition nosuid_transition }; ') ') @@ -214,6 +215,7 @@ interface(`init_spec_daemon_domain',` ifdef(`init_systemd',` allow $1 init_t:unix_stream_socket { getattr read write ioctl }; + allow init_t $1:process rlimitinh; allow init_t $1:process2 { nnp_transition nosuid_transition }; ') @@ -712,31 +714,6 @@ interface(`init_getpgid',` ######################################## ## -## Allow process to inherit resource limits. -## -## -##

-## This is applicable with systemd when using the -## options to limit resources - see -## https://www.freedesktop.org/software/systemd/man/systemd.exec.html#LimitMSGQUEUE= -##

-##
-## -## -## Domain allowed access. -## -## -# -interface(`init_inherit_rlimit',` - gen_require(` - type init_t; - ') - - allow $1 init_t:process rlimitinh; -') - -######################################## -## ## Send init a generic signal. ## ## -- 2.13.5