Few months ago I wrote to this list about confining TeX. So far I have created the policy module, which works for me. But I would like to get some review of this module, as I am still not sure for example when to use the explicit "allow" directive and when some macros instead (like libs_use_ld_so() etc - is there a list of such macros?).
Now I want to confine Xvfb - have anybody tried this?
Anyway, my tex.te is the following:
------------------------------------------------------------ policy_module(tex, 1.0)
require { type bin_t; type default_t; type initrc_t; };
# Executable files from the TeX installation type tex_exec_t; files_type(tex_exec_t);
# TeX data files type tex_data_t; files_type(tex_data_t);
# Temporary files and TeX output type tex_tmp_t; files_type(tex_tmp_t);
# Domain under which the TeX daemon runs type tex_t; domain_type(tex_t);
role system_r types tex_t; libs_use_shared_libs(tex_t); libs_use_ld_so(tex_t); miscfiles_read_localization(tex_t); fs_search_all(tex_t); kernel_dontaudit_read_system_state(tex_t); # dvipng reads /proc/meminfo
allow tex_t tex_exec_t:lnk_file { getattr read }; allow tex_t tex_exec_t:dir ra_dir_perms; allow tex_t default_t:dir ra_dir_perms; allow tex_t default_t:file getattr; allow tex_t tex_tmp_t:file manage_file_perms; allow tex_t tex_tmp_t:dir { add_entry_dir_perms del_entry_dir_perms }; allow tex_t tex_data_t:file ra_file_perms; allow tex_t tex_data_t:dir ra_dir_perms; allow unconfined_t tex_data_t:file manage_file_perms; allow tex_t bin_t:dir search; allow tex_t initrc_t:fd use; allow tex_t initrc_t:process sigchld;
domain_trans(unconfined_t, tex_exec_t, tex_t); domain_trans(initrc_t, tex_exec_t, tex_t); domain_entry_file(tex_t, tex_exec_t); term_dontaudit_use_all_user_ttys(tex_t); files_dontaudit_search_home(tex_t); ------------------------------------------------------------
Thanks,
-Yenya