Remove the interface init_inherit_rlimit and always allow rlimitinh permissions for daemon processes started by systemd.
Signed-off-by: Dave Sugar <[email protected]>
---
policy/modules/system/init.if | 27 ++-------------------------
1 file changed, 2 insertions(+), 25 deletions(-)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 303bd067..0caac118 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -132,6 +132,7 @@ interface(`init_domain',`
ifdef(`init_systemd',`
allow $1 init_t:unix_stream_socket { getattr read write ioctl };
+ allow init_t $1:process rlimitinh;
allow init_t $1:process2 { nnp_transition nosuid_transition };
')
')
@@ -214,6 +215,7 @@ interface(`init_spec_daemon_domain',`
ifdef(`init_systemd',`
allow $1 init_t:unix_stream_socket { getattr read write ioctl };
+ allow init_t $1:process rlimitinh;
allow init_t $1:process2 { nnp_transition nosuid_transition };
')
@@ -712,31 +714,6 @@ interface(`init_getpgid',`
########################################
## <summary>
-## Allow process to inherit resource limits.
-## </summary>
-## <desc>
-## <p>
-## This is applicable with systemd when using the
-## options to limit resources - see
-## https://www.freedesktop.org/software/systemd/man/systemd.exec.html#LimitMSGQUEUE=
-## </p>
-## </desc>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`init_inherit_rlimit',`
- gen_require(`
- type init_t;
- ')
-
- allow $1 init_t:process rlimitinh;
-')
-
-########################################
-## <summary>
## Send init a generic signal.
## </summary>
## <param name="domain">
--
2.13.5
On 09/21/2017 01:08 AM, David Sugar via refpolicy wrote:
> Remove the interface init_inherit_rlimit and always allow rlimitinh permissions for daemon processes started by systemd.
>
> Signed-off-by: Dave Sugar <[email protected]>
> ---
> policy/modules/system/init.if | 27 ++-------------------------
> 1 file changed, 2 insertions(+), 25 deletions(-)
>
> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> index 303bd067..0caac118 100644
> --- a/policy/modules/system/init.if
> +++ b/policy/modules/system/init.if
> @@ -132,6 +132,7 @@ interface(`init_domain',`
> ifdef(`init_systemd',`
> allow $1 init_t:unix_stream_socket { getattr read write ioctl };
>
> + allow init_t $1:process rlimitinh;
> allow init_t $1:process2 { nnp_transition nosuid_transition };
> ')
> ')
> @@ -214,6 +215,7 @@ interface(`init_spec_daemon_domain',`
> ifdef(`init_systemd',`
> allow $1 init_t:unix_stream_socket { getattr read write ioctl };
>
> + allow init_t $1:process rlimitinh;
> allow init_t $1:process2 { nnp_transition nosuid_transition };
> ')
I don't think these should actually be systemd-specific. Similar types
of behavior could be done from init scripts. Also missing is
init_daemon_domain rules.
> @@ -712,31 +714,6 @@ interface(`init_getpgid',`
>
> ########################################
> ## <summary>
> -## Allow process to inherit resource limits.
> -## </summary>
> -## <desc>
> -## <p>
> -## This is applicable with systemd when using the
> -## options to limit resources - see
> -## https://www.freedesktop.org/software/systemd/man/systemd.exec.html#LimitMSGQUEUE=
> -## </p>
> -## </desc>
> -## <param name="domain">
> -## <summary>
> -## Domain allowed access.
> -## </summary>
> -## </param>
> -#
> -interface(`init_inherit_rlimit',`
> - gen_require(`
> - type init_t;
> - ')
> -
> - allow $1 init_t:process rlimitinh;
> -')
> -
> -########################################
> -## <summary>
> ## Send init a generic signal.
> ## </summary>
> ## <param name="domain">
>
--
Chris PeBenito