Confining TeX

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

        Hello,

        I am implementing a remote TeX server for our users,
and I would like to confine it using SELinux (FC6, targeted policy).
I need help or suggestions on possible approaches. What I want to do
is the following:

- I have a TeX installation in a separate directory
- I want local users to be able to run TeX commands without restrictions
- I want to have a daemon, running under a separate user, which will handle
        remote requests for TeX compilation. Under this user/daemon
        the TeX commands should be confined, so that they can only
        read TeX data files (the texmf/ tree), execute the TeX sub-commands
        (i.e. files under <texroot>/bin/ directory) - including the rights
        to the system libraries, locales, etc. as necessary. And the confined
        processes should write only to the texmf-var tree (autogenerated
        bitmap fonts, etc.) and to the temporary directory, reserved for
        TeX outputs (logs, DVI files, dvips outputs, etc.).

        My current solution is to create the tex_t domain,
and tex_exec_t, tex_data_t, and tex_tmp_t file types, and make the
daemon run "runcon -t tex_t -- tex myfile.tex" instead of plain
"tex myfile.tex".

        Maybe there are better approaches than this:

- maybe the "runcon" is not necessary, and TeX executables can be made to
        enter the tex_t domain automatically, when started by the UNIX user
        under which the daemon runs.

- or maybe I should use SELinux users or roles instead of domains (?)

- or maybe the daemon should run under its own special domain?

	The "runcon" approach allows local users to compile also
untrusted TeX sources - i.e. they can be able to run TeX either under their
own context, or via "runcon" in the confined mode.

	Any suggestions?

-Yenya

-- 
| Jan "Yenya" Kasprzak  <kas at {fi.muni.cz - work | yenya.net - private}> |
| GPG: ID 1024/D3498839      Fingerprint 0D99A7FB206605D7 8B35FCDE05B18A5E |
| http://www.fi.muni.cz/~kas/    Journal: http://www.fi.muni.cz/~kas/blog/ |
> I will never go to meetings again because I think  face to face meetings <
> are the biggest waste of time you can ever have.        --Linus Torvalds <

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux