Bug 1150920
Summary: | SELinux alerts when plugging in an iphone | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Christophe Fergeau <cfergeau> |
Component: | usbmuxd | Assignee: | Peter Robinson <pbrobinson> |
Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 21 | CC: | bnocera, cfergeau, mgrepl, pbrobinson |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-10-17 09:37:56 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Christophe Fergeau
2014-10-09 08:04:45 UTC
usbmuxd version is usbmuxd-1.0.9-0.6.c24463e.fc21.x86_64 Things seem better after chcon system_u:system_r:usbmuxd_t:s0 /var/lib/lockdown chcon system_u:system_r:usbmuxd_t:s0 /var/lib/lockdown/* (I had tried a restorecon on this dir first but this did not change anything) /var/lib/lockdown is not owned by any package, I don't know if that's intentional. Actually even after doing these chcon, I still got this when unlocking my screen: Additional Information: Source Context system_u:system_r:usbmuxd_t:s0 Target Context system_u:system_r:usbmuxd_t:s0 Target Objects /var/lib/lockdown [ dir ] Source usbmuxd Source Path /usr/sbin/usbmuxd Port <Unknown> Host edamame.cdg.redhat.com Source RPM Packages usbmuxd-1.0.9-0.6.c24463e.fc21.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-85.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name edamame.cdg.redhat.com Platform Linux edamame.cdg.redhat.com 3.16.3-200.fc20.x86_64 #1 SMP Wed Sep 17 22:34:21 UTC 2014 x86_64 x86_64 Alert Count 5 First Seen 2014-10-09 10:32:08 CEST Last Seen 2014-10-09 11:59:24 CEST Local ID db8d4441-d19f-4220-8b37-2287e3b95f91 Raw Audit Messages type=AVC msg=audit(1412848764.111:983): avc: denied { setattr } for pid=10210 comm="usbmuxd" name="lockdown" dev="dm-2" ino=1217336 scontext=system_u:system_r:usbmuxd_t:s0 tcontext=system_u:system_r:usbmuxd_t:s0 tclass=dir permissive=0 type=SYSCALL msg=audit(1412848764.111:983): arch=x86_64 syscall=chmod success=no exit=EACCES a0=20982b0 a1=5fd a2=7fff7af817a0 a3=20 items=0 ppid=1 pid=10210 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=usbmuxd exe=/usr/sbin/usbmuxd subj=system_u:system_r:usbmuxd_t:s0 key=(null) Hash: usbmuxd,usbmuxd_t,usbmuxd_t,dir,setattr (In reply to Christophe Fergeau from comment #2) > Things seem better after > chcon system_u:system_r:usbmuxd_t:s0 /var/lib/lockdown > chcon system_u:system_r:usbmuxd_t:s0 /var/lib/lockdown/* > (I had tried a restorecon on this dir first but this did not change anything) > > /var/lib/lockdown is not owned by any package, I don't know if that's > intentional. This is wrong. You assign process type instead of file type. You want to use usbmuxd_var_lib_t. How is /var/lib/lockdown placed? > > /var/lib/lockdown is not owned by any package, I don't know if that's > > intentional. > > This is wrong. You assign process type instead of file type. You want to use > usbmuxd_var_lib_t. I've not made any changes to the SELinux bits what so ever > How is /var/lib/lockdown placed? What do you mean by this? (In reply to Peter Robinson from comment #5) > > > /var/lib/lockdown is not owned by any package, I don't know if that's > > > intentional. > > > > This is wrong. You assign process type instead of file type. You want to use > > usbmuxd_var_lib_t. > > I've not made any changes to the SELinux bits what so ever > > > How is /var/lib/lockdown placed? > > What do you mean by this? Does it come from usbmuxd?
> Does it come from usbmuxd?
We don't package it, and it's never been referenced before. It might be something that's created or new in the re-arch that happened with the last release but at a quick code grep I couldn't see anything.
It's referenced userpref_get_config_dir() in libimobiledevice/common/userpref.c , but I could not find what creates it. (In reply to Miroslav Grepl from comment #4) > This is wrong. You assign process type instead of file type. You want to use > usbmuxd_var_lib_t. > Not surprising that it's totally wrong, I'm very clueless about selinux ;) (In reply to Christophe Fergeau from comment #8) > It's referenced userpref_get_config_dir() in > libimobiledevice/common/userpref.c , but I could not find what creates it. Ah, libimobiledevice, I was mostly looking in *usbmux and libplist. There's a new upstream release just out, I'm going to build it and it's deps today so it might be worth re-testing with that to ensure we only need to do it once So the new release is on it's way to F-21 as part of the gnome 3.14.1 update as there was some cross dependencies Christophe: I'm going to dupe this bug to the F-20 so it's all tracked in the one place. The latest versions is now available in F-21 updates-testing so if you could test that and provide the details on the other bug that would be fab. We'll get it fixed against the latest release (everyone will want it for iOS8 support) *** This bug has been marked as a duplicate of bug 1128477 *** |