Jan Kasprzak wrote:
Hello, I am implementing a remote TeX server for our users,
and I would like to confine it using SELinux (FC6, targeted policy). I need help or suggestions on possible approaches. What I want to do is the following:
I have a TeX installation in a separate directory
I want local users to be able to run TeX commands without restrictions
I want to have a daemon, running under a separate user, which will handle remote requests for TeX compilation. Under this user/daemon the TeX commands should be confined, so that they can only read TeX data files (the texmf/ tree), execute the TeX sub-commands (i.e. files under <texroot>/bin/ directory) - including the rights to the system libraries, locales, etc. as necessary. And the confined processes should write only to the texmf-var tree (autogenerated bitmap fonts, etc.) and to the temporary directory, reserved for TeX outputs (logs, DVI files, dvips outputs, etc.).
My current solution is to create the tex_t domain,
and tex_exec_t, tex_data_t, and tex_tmp_t file types, and make the daemon run "runcon -t tex_t -- tex myfile.tex" instead of plain "tex myfile.tex".
Maybe there are better approaches than this:
maybe the "runcon" is not necessary, and TeX executables can be made to enter the tex_t domain automatically, when started by the UNIX user under which the daemon runs.
or maybe I should use SELinux users or roles instead of domains (?)
or maybe the daemon should run under its own special domain?
The "runcon" approach allows local users to compile also
untrusted TeX sources - i.e. they can be able to run TeX either under their own context, or via "runcon" in the confined mode.
I have not seen your policy but a couple of comments: First you said you have a daemon, which means almost never need to use runcon. runcon is really a test program. You write rules to transition from initrc_t to your confined domain and then put an init script in /etc/init.d and it will transition. (With proper labeleing.)
If you want to have a program that users will run in the confined environment you could create a context on a small program or script (confinedtext) labeled confinedtex_exec_t, and then write transition rules from like the following
domain_auto_trans(unconfined_t, confinedtex_exec_t, tex_t)
Then label the script confinedtex_exec_t.
Now the users could either run with tex directly or run confinedtex
Any suggestions?
-Yenya