Attempting to get '-usbdevice host:001.004' (and similar) working with qemu-kvm on my Fedora rawhide system, it occurred to me that there is the opportunity to apply policy to the files associated with USB devices. Currently, most seem to have a 'flat' label (usbfs_t), making it hard to confine qemu like programs that should only have access to, say, a single device. Does it make sense to support more 'fine grained' labeling, and to label the associated device file (e.g., /proc/bus/usb/...., /dev/usb, etc.) when the files are 'created'? Would udev be the place to do this? PolicyKIt? Thoughts? tom -- Tom London -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
