Confining TeX

[Daniel J Walsh]

Jan Kasprzak wrote:
>         Hello,
>
>         I am implementing a remote TeX server for our users,
> and I would like to confine it using SELinux (FC6, targeted policy).
> I need help or suggestions on possible approaches. What I want to do
> is the following:
>
> - I have a TeX installation in a separate directory
> - I want local users to be able to run TeX commands without restrictions
> - I want to have a daemon, running under a separate user, which will handle
>         remote requests for TeX compilation. Under this user/daemon
>         the TeX commands should be confined, so that they can only
>         read TeX data files (the texmf/ tree), execute the TeX sub-commands
>         (i.e. files under <texroot>/bin/ directory) - including the rights
>         to the system libraries, locales, etc. as necessary. And the confined
>         processes should write only to the texmf-var tree (autogenerated
>         bitmap fonts, etc.) and to the temporary directory, reserved for
>         TeX outputs (logs, DVI files, dvips outputs, etc.).
>
>         My current solution is to create the tex_t domain,
> and tex_exec_t, tex_data_t, and tex_tmp_t file types, and make the
> daemon run "runcon -t tex_t -- tex myfile.tex" instead of plain
> "tex myfile.tex".
>
>   
>         Maybe there are better approaches than this:
>
> - maybe the "runcon" is not necessary, and TeX executables can be made to
>         enter the tex_t domain automatically, when started by the UNIX user
>         under which the daemon runs.
>
> - or maybe I should use SELinux users or roles instead of domains (?)
>
> - or maybe the daemon should run under its own special domain?
>
> 	The "runcon" approach allows local users to compile also
> untrusted TeX sources - i.e. they can be able to run TeX either under their
> own context, or via "runcon" in the confined mode.
>
>   
I have not seen your policy but a couple of comments:
First you said you have a daemon, which means almost never need to use 
runcon.  runcon is really a test program.  You write rules to transition 
from initrc_t to your confined domain and then put an init script in 
/etc/init.d and it will transition.  (With proper labeleing.)

If you want to have a program that users will run in the confined 
environment you could create a context on a small program or script 
(confinedtext) labeled confinedtex_exec_t, and then write transition 
rules from like the following

domain_auto_trans(unconfined_t, confinedtex_exec_t, tex_t)

Then label the script confinedtex_exec_t.

Now the users could either run with tex directly or run confinedtex

> 	Any suggestions?
>
> -Yenya
>
>