From: pebenito@ieee.org (Chris PeBenito)
Date: Wed, 27 Sep 2017 19:37:37 -0400
Subject: [refpolicy] [PATCH 1/1 v2] remove interface init_inherit_rlimit
In-Reply-To: <CO1PR15MB1032A808ADF41E5E0781117EB9780@CO1PR15MB1032.namprd15.prod.outlook.com>
References: <CO1PR15MB1032A808ADF41E5E0781117EB9780@CO1PR15MB1032.namprd15.prod.outlook.com>
Message-ID: <ae36de0e-2d83-301a-57a2-cb86b4ba7960@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 09/27/2017 03:48 PM, David Sugar via refpolicy wrote:
> Update patch to remove init_inherit_rlimit interface and always grant this access for init_t domain (systemd or otherwise).  I hope ordering of the new rules is correct.

Merged.


> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
>   policy/modules/system/init.if | 32 +++++++-------------------------
>   1 file changed, 7 insertions(+), 25 deletions(-)
> 
> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> index 303bd067..622bcec5 100644
> --- a/policy/modules/system/init.if
> +++ b/policy/modules/system/init.if
> @@ -129,6 +129,8 @@ interface(`init_domain',`
>   
>   	domtrans_pattern(init_t, $2, $1)
>   
> +	allow init_t $1:process rlimitinh;
> +
>   	ifdef(`init_systemd',`
>   		allow $1 init_t:unix_stream_socket { getattr read write ioctl };
>   
> @@ -211,6 +213,8 @@ interface(`init_spec_daemon_domain',`
>   
>   	spec_domtrans_pattern(init_t, $2, $1)
>   
> +	allow init_t $1:process rlimitinh;
> +
>   	ifdef(`init_systemd',`
>   		allow $1 init_t:unix_stream_socket { getattr read write ioctl };
>   
> @@ -291,6 +295,8 @@ interface(`init_daemon_domain',`
>   	# when using run_init
>   	init_use_script_ptys($1)
>   
> +	allow init_t $1:process rlimitinh;
> +
>   	ifdef(`direct_sysadm_daemon',`
>   		userdom_dontaudit_use_user_terminals($1)
>   	')
> @@ -306,6 +312,7 @@ interface(`init_daemon_domain',`
>   	optional_policy(`
>   		nscd_use($1)
>   	')
> +
>   ')
>   
>   ########################################
> @@ -712,31 +719,6 @@ interface(`init_getpgid',`
>   
>   ########################################
>   ## <summary>
> -##	Allow process to inherit resource limits.
> -## </summary>
> -## <desc>
> -## <p>
> -##	This is applicable with systemd when using the
> -##	options to limit resources - see
> -##	https://www.freedesktop.org/software/systemd/man/systemd.exec.html#LimitMSGQUEUE=
> -## </p>
> -## </desc>
> -## <param name="domain">
> -##	<summary>
> -##	Domain allowed access.
> -##	</summary>
> -## </param>
> -#
> -interface(`init_inherit_rlimit',`
> -	gen_require(`
> -		type init_t;
> -	')
> -
> -	allow $1 init_t:process rlimitinh;
> -')
> -
> -########################################
> -## <summary>
>   ##	Send init a generic signal.
>   ## </summary>
>   ## <param name="domain">
> 


-- 
Chris PeBenito