hi
I could not find a usbguard policy altough the service runs as root.
I've created an initial policy to confine the usbguard daemon: https://github.com/fedora-selinux/selinux-policy-contrib/pull/26/files
I encountered some problems:
* the daemon wants to manage it's usbguard-daemon.conf file. If the usbguard-daemon process has no write access to /etc/usbguard-daemon.conf it will quit immediately on service start. At least for servers I wan't to manage the config with a config mgmt tool and not let usbguard itself change it's config.
* server vs. desktop: the daemon provides an interface for desktop applets or the usbuard cli to manipulate the rules and config. This is desirable for a desktop but IMHO not for servers. what should be the default? should the daemon be allowed to change its config/rules or not?
- Thomas
On 08/31/2017 09:29 PM, Thomas Mueller wrote:
hi
I could not find a usbguard policy altough the service runs as root.
I've created an initial policy to confine the usbguard daemon: https://github.com/fedora-selinux/selinux-policy-contrib/pull/26/files
I encountered some problems:
- the daemon wants to manage it's usbguard-daemon.conf file. If the
usbguard-daemon process has no write access to /etc/usbguard-daemon.conf it will quit immediately on service start. At least for servers I wan't to manage the config with a config mgmt tool and not let usbguard itself change it's config.
- server vs. desktop: the daemon provides an interface for desktop
applets or the usbuard cli to manipulate the rules and config. This is desirable for a desktop but IMHO not for servers. what should be the default? should the daemon be allowed to change its config/rules or not?
Thanks for Pull Request, I created copr repo[1] with this policy for testing purposes, if usbguard folks will finish testing usbguard policy, I'll merge it and add into Fedora Rawhide selinux-policy package.
[1] https://copr.fedorainfracloud.org/coprs/lvrabec/selinux-policy-usbguard/
Thanks, Lukas.
- Thomas
https://dkopecek.github.io/usbguard/ _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
selinux@lists.fedoraproject.org