Set SELinux to allow only httpd daemon to use specific tty device
Daniel J Walsh
dwalsh at redhat.com
Tue May 6 12:43:30 UTC 2014
On 05/06/2014 12:03 AM, Emmanuel Noobadmin wrote:
> On 5/5/14, Daniel J Walsh <dwalsh at redhat.com> wrote:
>> Simplest would be to just use
>> # grep usbDataCollector /var/log/audit/audit.log | audit2allow -M myhttp
>> # semodule -i myhttp.pp
>>
>> This would allot httpd_t processes the ability to use usb_device_t.
>> If you really wanted to tighten it up, you could build a custom policy
>> that put a different label on /dev/usbDataCollector and allow httpd_t
>> access to this device.
>>
>> Something like
>>
>> # cat myhttp.te
>> policy_module(myhttp, 1.0)
>> gen_require(`
>> type httpd_t;
>> ')
>>
>> type httpd_device_t;
>> dev_node(httpd_device_t)
>>
>> allow httpd_t httpd_device_t:chr_file rw_chr_file_perms;
>>
>> # cat myhttpd.fc
>> /dev/usbDataCollector -c
>> gen_context(system_u:object_r:httpd_device_t,s0)
>>
>> # make -f /usr/share/selinux/devel/Makefile
>> # semodule -i myhttp.pp
>> # restorecon -v /dev/usbDataCollector
> Thanks for the reply, I'll keep this in mind for the next machine.
> Currently, I'm unable to test it out since F20 stopped booting (for no
> reason I could figure out) on the laptop and I had to resort to
> another distribution.
I wrote a blog on this discussion.
https://danwalsh.livejournal.com/69221.html
More information about the users
mailing list