Hello,
I am implementing a remote TeX server for our users, and I would like to confine it using SELinux (FC6, targeted policy). I need help or suggestions on possible approaches. What I want to do is the following:
- I have a TeX installation in a separate directory - I want local users to be able to run TeX commands without restrictions - I want to have a daemon, running under a separate user, which will handle remote requests for TeX compilation. Under this user/daemon the TeX commands should be confined, so that they can only read TeX data files (the texmf/ tree), execute the TeX sub-commands (i.e. files under <texroot>/bin/ directory) - including the rights to the system libraries, locales, etc. as necessary. And the confined processes should write only to the texmf-var tree (autogenerated bitmap fonts, etc.) and to the temporary directory, reserved for TeX outputs (logs, DVI files, dvips outputs, etc.).
My current solution is to create the tex_t domain, and tex_exec_t, tex_data_t, and tex_tmp_t file types, and make the daemon run "runcon -t tex_t -- tex myfile.tex" instead of plain "tex myfile.tex".
Maybe there are better approaches than this:
- maybe the "runcon" is not necessary, and TeX executables can be made to enter the tex_t domain automatically, when started by the UNIX user under which the daemon runs.
- or maybe I should use SELinux users or roles instead of domains (?)
- or maybe the daemon should run under its own special domain?
The "runcon" approach allows local users to compile also untrusted TeX sources - i.e. they can be able to run TeX either under their own context, or via "runcon" in the confined mode.
Any suggestions?
-Yenya
Jan Kasprzak wrote:
Hello, I am implementing a remote TeX server for our users,
and I would like to confine it using SELinux (FC6, targeted policy). I need help or suggestions on possible approaches. What I want to do is the following:
I have a TeX installation in a separate directory
I want local users to be able to run TeX commands without restrictions
I want to have a daemon, running under a separate user, which will handle remote requests for TeX compilation. Under this user/daemon the TeX commands should be confined, so that they can only read TeX data files (the texmf/ tree), execute the TeX sub-commands (i.e. files under <texroot>/bin/ directory) - including the rights to the system libraries, locales, etc. as necessary. And the confined processes should write only to the texmf-var tree (autogenerated bitmap fonts, etc.) and to the temporary directory, reserved for TeX outputs (logs, DVI files, dvips outputs, etc.).
My current solution is to create the tex_t domain,
and tex_exec_t, tex_data_t, and tex_tmp_t file types, and make the daemon run "runcon -t tex_t -- tex myfile.tex" instead of plain "tex myfile.tex".
Maybe there are better approaches than this:
maybe the "runcon" is not necessary, and TeX executables can be made to enter the tex_t domain automatically, when started by the UNIX user under which the daemon runs.
or maybe I should use SELinux users or roles instead of domains (?)
or maybe the daemon should run under its own special domain?
The "runcon" approach allows local users to compile also
untrusted TeX sources - i.e. they can be able to run TeX either under their own context, or via "runcon" in the confined mode.
I have not seen your policy but a couple of comments: First you said you have a daemon, which means almost never need to use runcon. runcon is really a test program. You write rules to transition from initrc_t to your confined domain and then put an init script in /etc/init.d and it will transition. (With proper labeleing.)
If you want to have a program that users will run in the confined environment you could create a context on a small program or script (confinedtext) labeled confinedtex_exec_t, and then write transition rules from like the following
domain_auto_trans(unconfined_t, confinedtex_exec_t, tex_t)
Then label the script confinedtex_exec_t.
Now the users could either run with tex directly or run confinedtex
Any suggestions?
-Yenya
Few months ago I wrote to this list about confining TeX. So far I have created the policy module, which works for me. But I would like to get some review of this module, as I am still not sure for example when to use the explicit "allow" directive and when some macros instead (like libs_use_ld_so() etc - is there a list of such macros?).
Now I want to confine Xvfb - have anybody tried this?
Anyway, my tex.te is the following:
------------------------------------------------------------ policy_module(tex, 1.0)
require { type bin_t; type default_t; type initrc_t; };
# Executable files from the TeX installation type tex_exec_t; files_type(tex_exec_t);
# TeX data files type tex_data_t; files_type(tex_data_t);
# Temporary files and TeX output type tex_tmp_t; files_type(tex_tmp_t);
# Domain under which the TeX daemon runs type tex_t; domain_type(tex_t);
role system_r types tex_t; libs_use_shared_libs(tex_t); libs_use_ld_so(tex_t); miscfiles_read_localization(tex_t); fs_search_all(tex_t); kernel_dontaudit_read_system_state(tex_t); # dvipng reads /proc/meminfo
allow tex_t tex_exec_t:lnk_file { getattr read }; allow tex_t tex_exec_t:dir ra_dir_perms; allow tex_t default_t:dir ra_dir_perms; allow tex_t default_t:file getattr; allow tex_t tex_tmp_t:file manage_file_perms; allow tex_t tex_tmp_t:dir { add_entry_dir_perms del_entry_dir_perms }; allow tex_t tex_data_t:file ra_file_perms; allow tex_t tex_data_t:dir ra_dir_perms; allow unconfined_t tex_data_t:file manage_file_perms; allow tex_t bin_t:dir search; allow tex_t initrc_t:fd use; allow tex_t initrc_t:process sigchld;
domain_trans(unconfined_t, tex_exec_t, tex_t); domain_trans(initrc_t, tex_exec_t, tex_t); domain_entry_file(tex_t, tex_exec_t); term_dontaudit_use_all_user_ttys(tex_t); files_dontaudit_search_home(tex_t); ------------------------------------------------------------
Thanks,
-Yenya
selinux@lists.fedoraproject.org