From: pebenito@ieee.org (Chris PeBenito) Date: Wed, 27 Sep 2017 19:37:37 -0400 Subject: [refpolicy] [PATCH 1/1 v2] remove interface init_inherit_rlimit In-Reply-To: References: Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 09/27/2017 03:48 PM, David Sugar via refpolicy wrote: > Update patch to remove init_inherit_rlimit interface and always grant this access for init_t domain (systemd or otherwise). I hope ordering of the new rules is correct. Merged. > Signed-off-by: Dave Sugar > --- > policy/modules/system/init.if | 32 +++++++------------------------- > 1 file changed, 7 insertions(+), 25 deletions(-) > > diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if > index 303bd067..622bcec5 100644 > --- a/policy/modules/system/init.if > +++ b/policy/modules/system/init.if > @@ -129,6 +129,8 @@ interface(`init_domain',` > > domtrans_pattern(init_t, $2, $1) > > + allow init_t $1:process rlimitinh; > + > ifdef(`init_systemd',` > allow $1 init_t:unix_stream_socket { getattr read write ioctl }; > > @@ -211,6 +213,8 @@ interface(`init_spec_daemon_domain',` > > spec_domtrans_pattern(init_t, $2, $1) > > + allow init_t $1:process rlimitinh; > + > ifdef(`init_systemd',` > allow $1 init_t:unix_stream_socket { getattr read write ioctl }; > > @@ -291,6 +295,8 @@ interface(`init_daemon_domain',` > # when using run_init > init_use_script_ptys($1) > > + allow init_t $1:process rlimitinh; > + > ifdef(`direct_sysadm_daemon',` > userdom_dontaudit_use_user_terminals($1) > ') > @@ -306,6 +312,7 @@ interface(`init_daemon_domain',` > optional_policy(` > nscd_use($1) > ') > + > ') > > ######################################## > @@ -712,31 +719,6 @@ interface(`init_getpgid',` > > ######################################## > ## > -## Allow process to inherit resource limits. > -## > -## > -##

> -## This is applicable with systemd when using the > -## options to limit resources - see > -## https://www.freedesktop.org/software/systemd/man/systemd.exec.html#LimitMSGQUEUE= > -##

> -##
> -## > -## > -## Domain allowed access. > -## > -## > -# > -interface(`init_inherit_rlimit',` > - gen_require(` > - type init_t; > - ') > - > - allow $1 init_t:process rlimitinh; > -') > - > -######################################## > -## > ## Send init a generic signal. > ## > ## > -- Chris PeBenito