14.4. Permanently blocking and authorizing a USB device
You can permanently block and authorize a USB device using the -p
option. This adds a device-specific rule to the current policy.
Conditions préalables
-
The
usbguard
service is installed and running.
Procédure
Configure SELinux to allow the
usbguard
daemon to write rules.Display the
semanage
Booleans relevant tousbguard
.# semanage boolean -l | grep usbguard usbguard_daemon_write_conf (off , off) Allow usbguard to daemon write conf usbguard_daemon_write_rules (on , on) Allow usbguard to daemon write rules
Optional: If the
usbguard_daemon_write_rules
Boolean is turned off, turn it on.# semanage boolean -m --on usbguard_daemon_write_rules
List USB devices recognized by USBGuard:
# usbguard list-devices 1: allow id 1d6b:0002 serial "0000:00:06.7" name "EHCI Host Controller" hash "JDOb0BiktYs2ct3mSQKopnOOV2h9MGYADwhT+oUtF2s=" parent-hash "4PHGcaDKWtPjKDwYpIRG722cB9SlGz9l9Iea93+Gt9c=" via-port "usb1" with-interface 09:00:00 ... 6: block id 1b1c:1ab1 serial "000024937962" name "Voyager" hash "CrXgiaWIf2bZAU+5WkzOE7y0rdSO82XMzubn7HDb95Q=" parent-hash "JDOb0BiktYs2ct3mSQKopnOOV2h9MGYADwhT+oUtF2s=" via-port "1-3" with-interface 08:06:50
Permanently authorize the device 6 to interact with the system:
# usbguard allow-device 6 -p
Permanently deauthorize and remove the device 6:
# usbguard reject-device 6 -p
Permanently deauthorize and retain the device 6:
# usbguard block-device 6 -p
USBGuard
uses the terms block and reject with the following meanings:
- block: do not interact with this device for now.
- reject: ignore this device as if it does not exist.
Vérification
Check that
USBGuard
rules include the changes you made.# usbguard list-rules
Ressources supplémentaires
-
usbguard(1)
man page. -
Built-in help listed by using the
usbguard --help
command.