Using Fedora 20 3.11.10-301.fc20.x86_64 and selinux targeted policy.29
I've a PHP application that sends data to a USB tty device e.g. /dev/usbDataCollector
Unfortunately selinux is blocking this action. When set to permissive, the alert browser suggests the command: setsebool -P daemons_use_tty 1
The documentation says Allow all daemons the ability to use unallocated ttys. This naturally doesn't sound like a good idea although admittedly it probably won't hurt in this particular installation. However, I thought it would be good to find the 'correct' solution to this.
But I am unable to find a more fine grain SELinux control for this, Fedora 20 has no documentation and the only vaguely relevant one I could find elsewhere is httpd_tty_com which appears unrelated as it is about allow httpd to communicate with terminal.
So the question is whether there is any way to do this or is allowing all daemons the only option?
On 05/04/2014 12:22 AM, Emmanuel Noobadmin wrote:
Using Fedora 20 3.11.10-301.fc20.x86_64 and selinux targeted policy.29
I've a PHP application that sends data to a USB tty device e.g. /dev/usbDataCollector
Unfortunately selinux is blocking this action. When set to permissive, the alert browser suggests the command: setsebool -P daemons_use_tty 1
The documentation says Allow all daemons the ability to use unallocated ttys. This naturally doesn't sound like a good idea although admittedly it probably won't hurt in this particular installation. However, I thought it would be good to find the 'correct' solution to this.
But I am unable to find a more fine grain SELinux control for this, Fedora 20 has no documentation and the only vaguely relevant one I could find elsewhere is httpd_tty_com which appears unrelated as it is about allow httpd to communicate with terminal.
So the question is whether there is any way to do this or is allowing all daemons the only option?
Simplest would be to just use # grep usbDataCollector /var/log/audit/audit.log | audit2allow -M myhttp # semodule -i myhttp.pp
This would allot httpd_t processes the ability to use usb_device_t. If you really wanted to tighten it up, you could build a custom policy that put a different label on /dev/usbDataCollector and allow httpd_t access to this device.
Something like
# cat myhttp.te policy_module(myhttp, 1.0) gen_require(` type httpd_t; ')
type httpd_device_t; dev_node(httpd_device_t)
allow httpd_t httpd_device_t:chr_file rw_chr_file_perms;
# cat myhttpd.fc /dev/usbDataCollector -c gen_context(system_u:object_r:httpd_device_t,s0)
# make -f /usr/share/selinux/devel/Makefile # semodule -i myhttp.pp # restorecon -v /dev/usbDataCollector
On 5/5/14, Daniel J Walsh dwalsh@redhat.com wrote:
Simplest would be to just use # grep usbDataCollector /var/log/audit/audit.log | audit2allow -M myhttp # semodule -i myhttp.pp
This would allot httpd_t processes the ability to use usb_device_t. If you really wanted to tighten it up, you could build a custom policy that put a different label on /dev/usbDataCollector and allow httpd_t access to this device.
Something like
# cat myhttp.te policy_module(myhttp, 1.0) gen_require(` type httpd_t; ')
type httpd_device_t; dev_node(httpd_device_t)
allow httpd_t httpd_device_t:chr_file rw_chr_file_perms;
# cat myhttpd.fc /dev/usbDataCollector -c gen_context(system_u:object_r:httpd_device_t,s0)
# make -f /usr/share/selinux/devel/Makefile # semodule -i myhttp.pp # restorecon -v /dev/usbDataCollector
Thanks for the reply, I'll keep this in mind for the next machine. Currently, I'm unable to test it out since F20 stopped booting (for no reason I could figure out) on the laptop and I had to resort to another distribution.
On 05/06/2014 12:03 AM, Emmanuel Noobadmin wrote:
On 5/5/14, Daniel J Walsh dwalsh@redhat.com wrote:
Simplest would be to just use # grep usbDataCollector /var/log/audit/audit.log | audit2allow -M myhttp # semodule -i myhttp.pp
This would allot httpd_t processes the ability to use usb_device_t. If you really wanted to tighten it up, you could build a custom policy that put a different label on /dev/usbDataCollector and allow httpd_t access to this device.
Something like
# cat myhttp.te policy_module(myhttp, 1.0) gen_require(` type httpd_t; ')
type httpd_device_t; dev_node(httpd_device_t)
allow httpd_t httpd_device_t:chr_file rw_chr_file_perms;
# cat myhttpd.fc /dev/usbDataCollector -c gen_context(system_u:object_r:httpd_device_t,s0)
# make -f /usr/share/selinux/devel/Makefile # semodule -i myhttp.pp # restorecon -v /dev/usbDataCollector
Thanks for the reply, I'll keep this in mind for the next machine. Currently, I'm unable to test it out since F20 stopped booting (for no reason I could figure out) on the laptop and I had to resort to another distribution.
I wrote a blog on this discussion.
-
Daniel J Walsh -
Emmanuel Noobadmin