Confining TeX
Daniel J Walsh
dwalsh at redhat.com
Thu Mar 1 14:10:29 UTC 2007
Jan Kasprzak wrote:
> Hello,
>
> I am implementing a remote TeX server for our users,
> and I would like to confine it using SELinux (FC6, targeted policy).
> I need help or suggestions on possible approaches. What I want to do
> is the following:
>
> - I have a TeX installation in a separate directory
> - I want local users to be able to run TeX commands without restrictions
> - I want to have a daemon, running under a separate user, which will handle
> remote requests for TeX compilation. Under this user/daemon
> the TeX commands should be confined, so that they can only
> read TeX data files (the texmf/ tree), execute the TeX sub-commands
> (i.e. files under <texroot>/bin/ directory) - including the rights
> to the system libraries, locales, etc. as necessary. And the confined
> processes should write only to the texmf-var tree (autogenerated
> bitmap fonts, etc.) and to the temporary directory, reserved for
> TeX outputs (logs, DVI files, dvips outputs, etc.).
>
> My current solution is to create the tex_t domain,
> and tex_exec_t, tex_data_t, and tex_tmp_t file types, and make the
> daemon run "runcon -t tex_t -- tex myfile.tex" instead of plain
> "tex myfile.tex".
>
>
> Maybe there are better approaches than this:
>
> - maybe the "runcon" is not necessary, and TeX executables can be made to
> enter the tex_t domain automatically, when started by the UNIX user
> under which the daemon runs.
>
> - or maybe I should use SELinux users or roles instead of domains (?)
>
> - or maybe the daemon should run under its own special domain?
>
> The "runcon" approach allows local users to compile also
> untrusted TeX sources - i.e. they can be able to run TeX either under their
> own context, or via "runcon" in the confined mode.
>
>
I have not seen your policy but a couple of comments:
First you said you have a daemon, which means almost never need to use
runcon. runcon is really a test program. You write rules to transition
from initrc_t to your confined domain and then put an init script in
/etc/init.d and it will transition. (With proper labeleing.)
If you want to have a program that users will run in the confined
environment you could create a context on a small program or script
(confinedtext) labeled confinedtex_exec_t, and then write transition
rules from like the following
domain_auto_trans(unconfined_t, confinedtex_exec_t, tex_t)
Then label the script confinedtex_exec_t.
Now the users could either run with tex directly or run confinedtex
> Any suggestions?
>
> -Yenya
>
>
More information about the fedora-selinux-list
mailing list