Re: Set SELinux to allow only httpd daemon to use specific tty device

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 05/04/2014 12:22 AM, Emmanuel Noobadmin wrote:
> Using Fedora 20 3.11.10-301.fc20.x86_64 and selinux targeted policy.29
>
> I've a PHP application that sends data to a USB tty device e.g.
> /dev/usbDataCollector
>
> Unfortunately selinux is blocking this action. When set to permissive,
> the alert browser suggests the command: setsebool -P daemons_use_tty 1
>
> The documentation says Allow all daemons the ability to use
> unallocated ttys. This naturally doesn't sound like a good idea
> although admittedly it probably won't hurt in this particular
> installation. However, I thought it would be good to find the
> 'correct' solution to this.
>
> But I am unable to find a more fine grain SELinux control for this,
> Fedora 20 has no documentation and the only vaguely relevant one I
> could find elsewhere is httpd_tty_com which appears unrelated as it is
> about allow httpd to communicate with terminal.
>
> So the question is whether there is any way to do this or is allowing
> all daemons the only option?
Simplest would be to just use
# grep usbDataCollector /var/log/audit/audit.log | audit2allow -M myhttp
# semodule -i myhttp.pp

This would allot httpd_t processes the ability to use usb_device_t. 
If you really wanted to tighten it up, you could build a custom policy
that put a different label on /dev/usbDataCollector and allow httpd_t
access to this device.

Something like

# cat myhttp.te
policy_module(myhttp, 1.0)
gen_require(`
    type httpd_t;
')

type httpd_device_t;
dev_node(httpd_device_t)

allow httpd_t httpd_device_t:chr_file rw_chr_file_perms;

# cat myhttpd.fc
/dev/usbDataCollector        -c   
gen_context(system_u:object_r:httpd_device_t,s0)

# make -f /usr/share/selinux/devel/Makefile
# semodule -i myhttp.pp
# restorecon -v /dev/usbDataCollector



-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux