Jan Kasprzak wrote:
Hello,
I am implementing a remote TeX server for our users,
and I would like to confine it using SELinux (FC6, targeted policy).
I need help or suggestions on possible approaches. What I want to do
is the following:
- I have a TeX installation in a separate directory
- I want local users to be able to run TeX commands without restrictions
- I want to have a daemon, running under a separate user, which will handle
remote requests for TeX compilation. Under this user/daemon
the TeX commands should be confined, so that they can only
read TeX data files (the texmf/ tree), execute the TeX sub-commands
(i.e. files under <texroot>/bin/ directory) - including the rights
to the system libraries, locales, etc. as necessary. And the confined
processes should write only to the texmf-var tree (autogenerated
bitmap fonts, etc.) and to the temporary directory, reserved for
TeX outputs (logs, DVI files, dvips outputs, etc.).
My current solution is to create the tex_t domain,
and tex_exec_t, tex_data_t, and tex_tmp_t file types, and make the
daemon run "runcon -t tex_t -- tex myfile.tex" instead of plain
"tex myfile.tex".
Maybe there are better approaches than this:
- maybe the "runcon" is not necessary, and TeX executables can be made to
enter the tex_t domain automatically, when started by the UNIX user
under which the daemon runs.
- or maybe I should use SELinux users or roles instead of domains (?)
- or maybe the daemon should run under its own special domain?
The "runcon" approach allows local users to compile also
untrusted TeX sources - i.e. they can be able to run TeX either under their
own context, or via "runcon" in the confined mode.
I have not seen your policy but a couple of comments:
First you said you have a daemon, which means almost never need to use
runcon. runcon is really a test program. You write rules to transition
from initrc_t to your confined domain and then put an init script in
/etc/init.d and it will transition. (With proper labeleing.)
If you want to have a program that users will run in the confined
environment you could create a context on a small program or script
(confinedtext) labeled confinedtex_exec_t, and then write transition
rules from like the following
domain_auto_trans(unconfined_t, confinedtex_exec_t, tex_t)
Then label the script confinedtex_exec_t.
Now the users could either run with tex directly or run confinedtex
Any suggestions?
-Yenya
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
