Set SELinux to allow only httpd daemon to use specific tty device
Daniel J Walsh
dwalsh at redhat.com
Mon May 5 13:32:40 UTC 2014
On 05/04/2014 12:22 AM, Emmanuel Noobadmin wrote:
> Using Fedora 20 3.11.10-301.fc20.x86_64 and selinux targeted policy.29
>
> I've a PHP application that sends data to a USB tty device e.g.
> /dev/usbDataCollector
>
> Unfortunately selinux is blocking this action. When set to permissive,
> the alert browser suggests the command: setsebool -P daemons_use_tty 1
>
> The documentation says Allow all daemons the ability to use
> unallocated ttys. This naturally doesn't sound like a good idea
> although admittedly it probably won't hurt in this particular
> installation. However, I thought it would be good to find the
> 'correct' solution to this.
>
> But I am unable to find a more fine grain SELinux control for this,
> Fedora 20 has no documentation and the only vaguely relevant one I
> could find elsewhere is httpd_tty_com which appears unrelated as it is
> about allow httpd to communicate with terminal.
>
> So the question is whether there is any way to do this or is allowing
> all daemons the only option?
Simplest would be to just use
# grep usbDataCollector /var/log/audit/audit.log | audit2allow -M myhttp
# semodule -i myhttp.pp
This would allot httpd_t processes the ability to use usb_device_t.
If you really wanted to tighten it up, you could build a custom policy
that put a different label on /dev/usbDataCollector and allow httpd_t
access to this device.
Something like
# cat myhttp.te
policy_module(myhttp, 1.0)
gen_require(`
type httpd_t;
')
type httpd_device_t;
dev_node(httpd_device_t)
allow httpd_t httpd_device_t:chr_file rw_chr_file_perms;
# cat myhttpd.fc
/dev/usbDataCollector -c
gen_context(system_u:object_r:httpd_device_t,s0)
# make -f /usr/share/selinux/devel/Makefile
# semodule -i myhttp.pp
# restorecon -v /dev/usbDataCollector
More information about the users
mailing list