Set SELinux to allow only httpd daemon to use specific tty device
Emmanuel Noobadmin
centos.admin at gmail.com
Tue May 6 04:03:11 UTC 2014
On 5/5/14, Daniel J Walsh <dwalsh at redhat.com> wrote:
> Simplest would be to just use
> # grep usbDataCollector /var/log/audit/audit.log | audit2allow -M myhttp
> # semodule -i myhttp.pp
>
> This would allot httpd_t processes the ability to use usb_device_t.
> If you really wanted to tighten it up, you could build a custom policy
> that put a different label on /dev/usbDataCollector and allow httpd_t
> access to this device.
>
> Something like
>
> # cat myhttp.te
> policy_module(myhttp, 1.0)
> gen_require(`
> type httpd_t;
> ')
>
> type httpd_device_t;
> dev_node(httpd_device_t)
>
> allow httpd_t httpd_device_t:chr_file rw_chr_file_perms;
>
> # cat myhttpd.fc
> /dev/usbDataCollector -c
> gen_context(system_u:object_r:httpd_device_t,s0)
>
> # make -f /usr/share/selinux/devel/Makefile
> # semodule -i myhttp.pp
> # restorecon -v /dev/usbDataCollector
Thanks for the reply, I'll keep this in mind for the next machine.
Currently, I'm unable to test it out since F20 stopped booting (for no
reason I could figure out) on the laptop and I had to resort to
another distribution.
More information about the users
mailing list