From: dsugar@tresys.com (David Sugar)
Date: Wed, 27 Sep 2017 19:48:43 +0000
Subject: [refpolicy] [PATCH 1/1 v2] remove interface init_inherit_rlimit
Message-ID: <CO1PR15MB1032A808ADF41E5E0781117EB9780@CO1PR15MB1032.namprd15.prod.outlook.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Update patch to remove init_inherit_rlimit interface and always grant this access for init_t domain (systemd or otherwise).  I hope ordering of the new rules is correct.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/system/init.if | 32 +++++++-------------------------
 1 file changed, 7 insertions(+), 25 deletions(-)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 303bd067..622bcec5 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -129,6 +129,8 @@ interface(`init_domain',`
 
 	domtrans_pattern(init_t, $2, $1)
 
+	allow init_t $1:process rlimitinh;
+
 	ifdef(`init_systemd',`
 		allow $1 init_t:unix_stream_socket { getattr read write ioctl };
 
@@ -211,6 +213,8 @@ interface(`init_spec_daemon_domain',`
 
 	spec_domtrans_pattern(init_t, $2, $1)
 
+	allow init_t $1:process rlimitinh;
+
 	ifdef(`init_systemd',`
 		allow $1 init_t:unix_stream_socket { getattr read write ioctl };
 
@@ -291,6 +295,8 @@ interface(`init_daemon_domain',`
 	# when using run_init
 	init_use_script_ptys($1)
 
+	allow init_t $1:process rlimitinh;
+
 	ifdef(`direct_sysadm_daemon',`
 		userdom_dontaudit_use_user_terminals($1)
 	')
@@ -306,6 +312,7 @@ interface(`init_daemon_domain',`
 	optional_policy(`
 		nscd_use($1)
 	')
+
 ')
 
 ########################################
@@ -712,31 +719,6 @@ interface(`init_getpgid',`
 
 ########################################
 ## <summary>
-##	Allow process to inherit resource limits.
-## </summary>
-## <desc>
-## <p>
-##	This is applicable with systemd when using the
-##	options to limit resources - see
-##	https://www.freedesktop.org/software/systemd/man/systemd.exec.html#LimitMSGQUEUE=
-## </p>
-## </desc>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`init_inherit_rlimit',`
-	gen_require(`
-		type init_t;
-	')
-
-	allow $1 init_t:process rlimitinh;
-')
-
-########################################
-## <summary>
 ##	Send init a generic signal.
 ## </summary>
 ## <param name="domain">
-- 
2.13.5