Update patch to remove init_inherit_rlimit interface and always grant this access for init_t domain (systemd or otherwise). I hope ordering of the new rules is correct.
Signed-off-by: Dave Sugar <[email protected]>
---
policy/modules/system/init.if | 32 +++++++-------------------------
1 file changed, 7 insertions(+), 25 deletions(-)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 303bd067..622bcec5 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -129,6 +129,8 @@ interface(`init_domain',`
domtrans_pattern(init_t, $2, $1)
+ allow init_t $1:process rlimitinh;
+
ifdef(`init_systemd',`
allow $1 init_t:unix_stream_socket { getattr read write ioctl };
@@ -211,6 +213,8 @@ interface(`init_spec_daemon_domain',`
spec_domtrans_pattern(init_t, $2, $1)
+ allow init_t $1:process rlimitinh;
+
ifdef(`init_systemd',`
allow $1 init_t:unix_stream_socket { getattr read write ioctl };
@@ -291,6 +295,8 @@ interface(`init_daemon_domain',`
# when using run_init
init_use_script_ptys($1)
+ allow init_t $1:process rlimitinh;
+
ifdef(`direct_sysadm_daemon',`
userdom_dontaudit_use_user_terminals($1)
')
@@ -306,6 +312,7 @@ interface(`init_daemon_domain',`
optional_policy(`
nscd_use($1)
')
+
')
########################################
@@ -712,31 +719,6 @@ interface(`init_getpgid',`
########################################
## <summary>
-## Allow process to inherit resource limits.
-## </summary>
-## <desc>
-## <p>
-## This is applicable with systemd when using the
-## options to limit resources - see
-## https://www.freedesktop.org/software/systemd/man/systemd.exec.html#LimitMSGQUEUE=
-## </p>
-## </desc>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`init_inherit_rlimit',`
- gen_require(`
- type init_t;
- ')
-
- allow $1 init_t:process rlimitinh;
-')
-
-########################################
-## <summary>
## Send init a generic signal.
## </summary>
## <param name="domain">
--
2.13.5
On 09/27/2017 03:48 PM, David Sugar via refpolicy wrote:
> Update patch to remove init_inherit_rlimit interface and always grant this access for init_t domain (systemd or otherwise). I hope ordering of the new rules is correct.
Merged.
> Signed-off-by: Dave Sugar <[email protected]>
> ---
> policy/modules/system/init.if | 32 +++++++-------------------------
> 1 file changed, 7 insertions(+), 25 deletions(-)
>
> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> index 303bd067..622bcec5 100644
> --- a/policy/modules/system/init.if
> +++ b/policy/modules/system/init.if
> @@ -129,6 +129,8 @@ interface(`init_domain',`
>
> domtrans_pattern(init_t, $2, $1)
>
> + allow init_t $1:process rlimitinh;
> +
> ifdef(`init_systemd',`
> allow $1 init_t:unix_stream_socket { getattr read write ioctl };
>
> @@ -211,6 +213,8 @@ interface(`init_spec_daemon_domain',`
>
> spec_domtrans_pattern(init_t, $2, $1)
>
> + allow init_t $1:process rlimitinh;
> +
> ifdef(`init_systemd',`
> allow $1 init_t:unix_stream_socket { getattr read write ioctl };
>
> @@ -291,6 +295,8 @@ interface(`init_daemon_domain',`
> # when using run_init
> init_use_script_ptys($1)
>
> + allow init_t $1:process rlimitinh;
> +
> ifdef(`direct_sysadm_daemon',`
> userdom_dontaudit_use_user_terminals($1)
> ')
> @@ -306,6 +312,7 @@ interface(`init_daemon_domain',`
> optional_policy(`
> nscd_use($1)
> ')
> +
> ')
>
> ########################################
> @@ -712,31 +719,6 @@ interface(`init_getpgid',`
>
> ########################################
> ## <summary>
> -## Allow process to inherit resource limits.
> -## </summary>
> -## <desc>
> -## <p>
> -## This is applicable with systemd when using the
> -## options to limit resources - see
> -## https://www.freedesktop.org/software/systemd/man/systemd.exec.html#LimitMSGQUEUE=
> -## </p>
> -## </desc>
> -## <param name="domain">
> -## <summary>
> -## Domain allowed access.
> -## </summary>
> -## </param>
> -#
> -interface(`init_inherit_rlimit',`
> - gen_require(`
> - type init_t;
> - ')
> -
> - allow $1 init_t:process rlimitinh;
> -')
> -
> -########################################
> -## <summary>
> ## Send init a generic signal.
> ## </summary>
> ## <param name="domain">
>
--
Chris PeBenito