On 5/5/14, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote: > Simplest would be to just use > # grep usbDataCollector /var/log/audit/audit.log | audit2allow -M myhttp > # semodule -i myhttp.pp > > This would allot httpd_t processes the ability to use usb_device_t. > If you really wanted to tighten it up, you could build a custom policy > that put a different label on /dev/usbDataCollector and allow httpd_t > access to this device. > > Something like > > # cat myhttp.te > policy_module(myhttp, 1.0) > gen_require(` > type httpd_t; > ') > > type httpd_device_t; > dev_node(httpd_device_t) > > allow httpd_t httpd_device_t:chr_file rw_chr_file_perms; > > # cat myhttpd.fc > /dev/usbDataCollector -c > gen_context(system_u:object_r:httpd_device_t,s0) > > # make -f /usr/share/selinux/devel/Makefile > # semodule -i myhttp.pp > # restorecon -v /dev/usbDataCollector Thanks for the reply, I'll keep this in mind for the next machine. Currently, I'm unable to test it out since F20 stopped booting (for no reason I could figure out) on the laptop and I had to resort to another distribution. -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
