Add int_rlimit_inherit interface

Create new interface init_rlimit_inherit to allow a process started by init to inherit resource limits.  systemd allows for setting of resource limits [1] but the default from SELinux is to not allow the inheritance of those limits as a service is started.  This interface allows that resource limit inheritance.

The systemd .service options are LimitCPU=, LimitFSIZE=, LimitDATA=, LimitSTACK=, LimitCORE=, LimitRSS=, LimitNOFILE=, LimitAS=, LimitNPROC=, LimitMEMLOCK=, LimitLOCKS=, LimitSIGPENDING=, LimitMSGQUEUE=, LimitNICE=, LimitRTPRIO=, LimitRTTIME=

[1] https://www.freedesktop.org/software/systemd/man/systemd.exec.html

Signed-off-by: Dave Sugar <dsugar@tresys.com>
This commit is contained in:
David Sugar 2017-09-13 20:34:15 +00:00 committed by Chris PeBenito
parent 153fb2f591
commit aad06a40fe
1 changed files with 23 additions and 0 deletions

View File

@ -710,6 +710,29 @@ interface(`init_getpgid',`
allow $1 init_t:process getpgid; allow $1 init_t:process getpgid;
') ')
########################################
## <summary>
## Allow process to inherit resource limits.
## </summary>
## <p>
## This is applicable with systemd when using the
## options to limit resources - see
## https://www.freedesktop.org/software/systemd/man/systemd.exec.html#LimitMSGQUEUE=
## </p>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_rlimit_inherit',`
gen_require(`
type init_t;
')
allow $1 init_t:process rlimitinh;
')
######################################## ########################################
## <summary> ## <summary>
## Send init a generic signal. ## Send init a generic signal.