Confining TeX

Jan Kasprzak kas at
Tue Oct 9 16:24:21 UTC 2007

	Few months ago I wrote to this list about confining TeX.
So far I have created the policy module, which works for me. But
I would like to get some review of this module, as I am still not
sure for example when to use the explicit "allow" directive and when some
macros instead (like libs_use_ld_so() etc - is there a list of such macros?).

	Now I want to confine Xvfb - have anybody tried this?

	Anyway, my tex.te is the following:

policy_module(tex, 1.0)

require {
        type bin_t;
        type default_t;
        type initrc_t;

# Executable files from the TeX installation
type tex_exec_t;

# TeX data files
type tex_data_t;

# Temporary files and TeX output
type tex_tmp_t;

# Domain under which the TeX daemon runs
type tex_t;

role system_r types tex_t;
kernel_dontaudit_read_system_state(tex_t); # dvipng reads /proc/meminfo

allow tex_t tex_exec_t:lnk_file { getattr read };
allow tex_t tex_exec_t:dir ra_dir_perms;
allow tex_t default_t:dir ra_dir_perms;
allow tex_t default_t:file getattr;
allow tex_t tex_tmp_t:file manage_file_perms;
allow tex_t tex_tmp_t:dir { add_entry_dir_perms del_entry_dir_perms };
allow tex_t tex_data_t:file ra_file_perms;
allow tex_t tex_data_t:dir ra_dir_perms;
allow unconfined_t tex_data_t:file manage_file_perms;
allow tex_t bin_t:dir search;
allow tex_t initrc_t:fd use;
allow tex_t initrc_t:process sigchld;

domain_trans(unconfined_t, tex_exec_t, tex_t);
domain_trans(initrc_t, tex_exec_t, tex_t);
domain_entry_file(tex_t, tex_exec_t);



| Jan "Yenya" Kasprzak  <kas at { - work | - private}> |
| GPG: ID 1024/D3498839      Fingerprint 0D99A7FB206605D7 8B35FCDE05B18A5E |
|    Journal: |
>     So at least in some cases, I think we should "default to stupid,     <
>     but give users rope".                           --Linus Torvalds     <

More information about the fedora-selinux-list mailing list