On 05/06/2014 12:03 AM, Emmanuel Noobadmin wrote: > On 5/5/14, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote: >> Simplest would be to just use >> # grep usbDataCollector /var/log/audit/audit.log | audit2allow -M myhttp >> # semodule -i myhttp.pp >> >> This would allot httpd_t processes the ability to use usb_device_t. >> If you really wanted to tighten it up, you could build a custom policy >> that put a different label on /dev/usbDataCollector and allow httpd_t >> access to this device. >> >> Something like >> >> # cat myhttp.te >> policy_module(myhttp, 1.0) >> gen_require(` >> type httpd_t; >> ') >> >> type httpd_device_t; >> dev_node(httpd_device_t) >> >> allow httpd_t httpd_device_t:chr_file rw_chr_file_perms; >> >> # cat myhttpd.fc >> /dev/usbDataCollector -c >> gen_context(system_u:object_r:httpd_device_t,s0) >> >> # make -f /usr/share/selinux/devel/Makefile >> # semodule -i myhttp.pp >> # restorecon -v /dev/usbDataCollector > Thanks for the reply, I'll keep this in mind for the next machine. > Currently, I'm unable to test it out since F20 stopped booting (for no > reason I could figure out) on the laptop and I had to resort to > another distribution. I wrote a blog on this discussion. https://danwalsh.livejournal.com/69221.html -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
