From: pebenito@ieee.org (Chris PeBenito)
Date: Sat, 23 Sep 2017 14:16:00 -0400
Subject: [refpolicy] [PATCH 1/1] remove interface init_inherit_rlimit
In-Reply-To: <1B50C12ACFF4CB42B90D2581155DF50205B7BEA4@Exchange10.columbia.tresys.com>
References: <1B50C12ACFF4CB42B90D2581155DF50205B7BEA4@Exchange10.columbia.tresys.com>
Message-ID: <27323f4f-610c-3321-3e94-37395c0fb632@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 09/21/2017 01:08 AM, David Sugar via refpolicy wrote:
> Remove the interface init_inherit_rlimit and always allow rlimitinh permissions for daemon processes started by systemd.
> 
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
>   policy/modules/system/init.if | 27 ++-------------------------
>   1 file changed, 2 insertions(+), 25 deletions(-)
> 
> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> index 303bd067..0caac118 100644
> --- a/policy/modules/system/init.if
> +++ b/policy/modules/system/init.if
> @@ -132,6 +132,7 @@ interface(`init_domain',`
>   	ifdef(`init_systemd',`
>   		allow $1 init_t:unix_stream_socket { getattr read write ioctl };
>   
> +		allow init_t $1:process rlimitinh;
>   		allow init_t $1:process2 { nnp_transition nosuid_transition };
>   	')
>   ')
> @@ -214,6 +215,7 @@ interface(`init_spec_daemon_domain',`
>   	ifdef(`init_systemd',`
>   		allow $1 init_t:unix_stream_socket { getattr read write ioctl };
>   
> +		allow init_t $1:process rlimitinh;
>   		allow init_t $1:process2 { nnp_transition nosuid_transition };
>   	')

I don't think these should actually be systemd-specific.  Similar types 
of behavior could be done from init scripts.  Also missing is 
init_daemon_domain rules.

> @@ -712,31 +714,6 @@ interface(`init_getpgid',`
>   
>   ########################################
>   ## <summary>
> -##	Allow process to inherit resource limits.
> -## </summary>
> -## <desc>
> -## <p>
> -##	This is applicable with systemd when using the
> -##	options to limit resources - see
> -##	https://www.freedesktop.org/software/systemd/man/systemd.exec.html#LimitMSGQUEUE=
> -## </p>
> -## </desc>
> -## <param name="domain">
> -##	<summary>
> -##	Domain allowed access.
> -##	</summary>
> -## </param>
> -#
> -interface(`init_inherit_rlimit',`
> -	gen_require(`
> -		type init_t;
> -	')
> -
> -	allow $1 init_t:process rlimitinh;
> -')
> -
> -########################################
> -## <summary>
>   ##	Send init a generic signal.
>   ## </summary>
>   ## <param name="domain">
> 


-- 
Chris PeBenito