Confining TeX

Jan Kasprzak kas at fi.muni.cz
Tue Oct 9 16:24:21 UTC 2007 

	Few months ago I wrote to this list about confining TeX.
So far I have created the policy module, which works for me. But
I would like to get some review of this module, as I am still not
sure for example when to use the explicit "allow" directive and when some
macros instead (like libs_use_ld_so() etc - is there a list of such macros?).

	Now I want to confine Xvfb - have anybody tried this?

	Anyway, my tex.te is the following:

------------------------------------------------------------
policy_module(tex, 1.0)

require {
        type bin_t;
        type default_t;
        type initrc_t;
};

# Executable files from the TeX installation
type tex_exec_t;
files_type(tex_exec_t);

# TeX data files
type tex_data_t;
files_type(tex_data_t);

# Temporary files and TeX output
type tex_tmp_t;
files_type(tex_tmp_t);

# Domain under which the TeX daemon runs
type tex_t;
domain_type(tex_t);

role system_r types tex_t;
libs_use_shared_libs(tex_t);
libs_use_ld_so(tex_t);
miscfiles_read_localization(tex_t);
fs_search_all(tex_t);
kernel_dontaudit_read_system_state(tex_t); # dvipng reads /proc/meminfo

allow tex_t tex_exec_t:lnk_file { getattr read };
allow tex_t tex_exec_t:dir ra_dir_perms;
allow tex_t default_t:dir ra_dir_perms;
allow tex_t default_t:file getattr;
allow tex_t tex_tmp_t:file manage_file_perms;
allow tex_t tex_tmp_t:dir { add_entry_dir_perms del_entry_dir_perms };
allow tex_t tex_data_t:file ra_file_perms;
allow tex_t tex_data_t:dir ra_dir_perms;
allow unconfined_t tex_data_t:file manage_file_perms;
allow tex_t bin_t:dir search;
allow tex_t initrc_t:fd use;
allow tex_t initrc_t:process sigchld;

domain_trans(unconfined_t, tex_exec_t, tex_t);
domain_trans(initrc_t, tex_exec_t, tex_t);
domain_entry_file(tex_t, tex_exec_t);
term_dontaudit_use_all_user_ttys(tex_t);
files_dontaudit_search_home(tex_t);
------------------------------------------------------------

	Thanks,

-Yenya

-- 
| Jan "Yenya" Kasprzak  <kas at {fi.muni.cz - work | yenya.net - private}> |
| GPG: ID 1024/D3498839      Fingerprint 0D99A7FB206605D7 8B35FCDE05B18A5E |
| http://www.fi.muni.cz/~kas/    Journal: http://www.fi.muni.cz/~kas/blog/ |
>     So at least in some cases, I think we should "default to stupid,     <
>     but give users rope".                           --Linus Torvalds     <

More information about the fedora-selinux-list mailing list