Re: System-wide hard RLIMIT_STACK in 4.14.4+ w/ SELinux

From: TomÃÅ Trnka
Date: Tue Dec 12 2017 - 10:45:00 EST


> Of course this can be somewhat worked around by adjusting the SELinux policy
> (allowing blanket noatsecure permission for init_t and possibly others) or
> by pam_limits (for components using PAM).

Correction: pam_limits also usually doesn't help here, as it's often followed
by another secureexec (for example when login (local_login_t) executes the
shell with transition to unconfined_t).

2T