Bug 1273188
Summary: | Review Request: u2f-hidraw-policy - Udev rule to allow desktop access to HIDRAW U2F tokens | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Andy Lutomirski <luto> |
Component: | Package Review | Assignee: | Seth Jennings <sethdjennings> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | CC: | akpm, baptiste.millemathias, jorgeml, nls1729, package-review, sethdjennings |
Target Milestone: | --- | Flags: | sethdjennings:
fedora-review+
|
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-11-12 00:20:45 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Andy Lutomirski
2015-10-19 21:40:08 UTC
amluto's scratch build of u2f-hidraw-policy-1.0-1.fc22.src.rpm for f22 completed http://koji.fedoraproject.org/koji/taskinfo?taskID=11505737 Whoops, I had the LICENSE file for the wrong license! Spec URL: http://web.mit.edu/luto/www/fedora/u2f-hidraw-policy-2/u2f-hidraw-policy.spec SRPM URL: http://web.mit.edu/luto/www/fedora/u2f-hidraw-policy-2/u2f-hidraw-policy-1.0.1-1.fc22.src.rpm Koji scratch build: http://koji.fedoraproject.org/koji/taskinfo?taskID=11506303 NB: This is intended to be multilib-exempt. It provides no libraries, and udev rules live in /usr/lib by convention. Self-review: Package Review ============== Legend: [x] = Pass, [!] = Fail, [-] = Not applicable, [?] = Not evaluated [ ] = Manual review needed ===== MUST items ===== C/C++: [x]: Package does not contain kernel modules. [x]: Package contains no static executables. [x]: Package does not contain any libtool archives (.la) [x]: Rpath absent or only used for internal libs. Generic: [x]: Package is licensed with an open-source compatible license and meets other legal requirements as defined in the legal section of Packaging Guidelines. [x]: License field in the package spec file matches the actual license. Note: Checking patched sources after %prep for licenses. Licenses found: "LGPL (v2 or later)". Detailed output of licensecheck in /home/luto/devel/fedora/u2f-hidraw-policy/u2f-hidraw- policy/licensecheck.txt [x]: %build honors applicable compiler flags or justifies otherwise. [x]: Package contains no bundled libraries without FPC exception. [x]: Changelog in prescribed format. [x]: Sources contain only permissible code or content. [x]: Package contains desktop file if it is a GUI application. [x]: Development files must be in a -devel package [x]: Package uses nothing in %doc for runtime. [x]: Package consistently uses macros (instead of hard-coded directory names). [x]: Package is named according to the Package Naming Guidelines. [x]: Package does not generate any conflict. [x]: Package obeys FHS, except libexecdir and /usr/target. [x]: If the package is a rename of another package, proper Obsoletes and Provides are present. [x]: Requires correct, justified where necessary. [x]: Spec file is legible and written in American English. [-]: Package contains systemd file(s) if in need. [x]: Useful -debuginfo package or justification otherwise. [x]: Package is not known to require an ExcludeArch tag. [x]: Large documentation must go in a -doc subpackage. Large could be size (~1MB) or number of files. Note: Documentation size is 10240 bytes in 1 files. [x]: Package complies to the Packaging Guidelines [x]: Package successfully compiles and builds into binary rpms on at least one supported primary architecture. [x]: Package installs properly. [x]: Rpmlint is run on all rpms the build produces. Note: There are rpmlint messages (see attachment). [x]: If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package is included in %license. [x]: Package requires other packages for directories it uses. [x]: Package must own all directories that it creates. [x]: Package does not own files or directories owned by other packages. [x]: All build dependencies are listed in BuildRequires, except for any that are listed in the exceptions section of Packaging Guidelines. [x]: Package uses either %{buildroot} or $RPM_BUILD_ROOT [x]: Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the beginning of %install. [x]: Macros in Summary, %description expandable at SRPM build time. [x]: Dist tag is present. [x]: Package does not contain duplicates in %files. [x]: Permissions on files are set properly. [x]: Package use %makeinstall only when make install DESTDIR=... doesn't work. [x]: Package is named using only allowed ASCII characters. [x]: Package does not use a name that already exists. [x]: Package is not relocatable. [x]: Sources used to build the package match the upstream source, as provided in the spec URL. [x]: Spec file name must match the spec package %{name}, in the format %{name}.spec. [x]: File names are valid UTF-8. [x]: Packages must not store files under /srv, /opt or /usr/local ===== SHOULD items ===== Generic: [x]: If the source package does not include license text(s) as a separate file from upstream, the packager SHOULD query upstream to include it. [x]: Final provides and requires are sane (see attachments). [x]: Package functions as described. [x]: Latest version is packaged. [x]: Package does not include license text files separate from upstream. [x]: Description and summary sections in the package spec file contains translations for supported Non-English languages, if available. [x]: Package should compile and build into binary rpms on all supported architectures. [ ]: %check is present and all tests pass. [ ]: Packages should try to preserve timestamps of original installed files. [x]: Packager, Vendor, PreReq, Copyright tags should not be in spec file [x]: Sources can be downloaded from URI in Source: tag [x]: Reviewer should test that the package builds in mock. [x]: Buildroot is not present [x]: Package has no %clean section with rm -rf %{buildroot} (or $RPM_BUILD_ROOT) [x]: No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin. [x]: Uses parallel make %{?_smp_mflags} macro. [x]: SourceX is a working URL. [x]: Spec use %global instead of %define unless justified. ===== EXTRA items ===== Generic: [x]: Rpmlint is run on debuginfo package(s). Note: No rpmlint messages. [x]: Rpmlint is run on all installed packages. Note: There are rpmlint messages (see attachment). [x]: Large data in /usr/share should live in a noarch subpackage if package is arched. Rpmlint ------- Checking: u2f-hidraw-policy-1.0.1-1.fc21.x86_64.rpm u2f-hidraw-policy-1.0.1-1.fc21.src.rpm u2f-hidraw-policy.x86_64: W: spelling-error Summary(en_US) Udev -> Dude u2f-hidraw-policy.src: W: spelling-error Summary(en_US) Udev -> Dude u2f-hidraw-policy.src: W: spelling-error %description -l en_US udev -> dude 2 packages and 0 specfiles checked; 0 errors, 3 warnings. Rpmlint (debuginfo) ------------------- Checking: u2f-hidraw-policy-debuginfo-1.0.1-1.fc21.x86_64.rpm 1 packages and 0 specfiles checked; 0 errors, 0 warnings. Rpmlint (installed packages) ---------------------------- u2f-hidraw-policy.x86_64: W: spelling-error Summary(en_US) Udev -> Dude 2 packages and 0 specfiles checked; 0 errors, 1 warnings. Requires -------- u2f-hidraw-policy (rpmlib, GLIBC filtered): libc.so.6()(64bit) libudev.so.1()(64bit) libudev.so.1(LIBUDEV_183)(64bit) rtld(GNU_HASH) systemd Provides -------- u2f-hidraw-policy: u2f-hidraw-policy u2f-hidraw-policy(x86-64) Source checksums ---------------- https://github.com/amluto/u2f-hidraw-policy/archive/1.0.1.tar.gz : CHECKSUM(SHA256) this package : d05675b92408fa3322c1fb267c4d63a91700aa9e6c26207a00779c0e78d52d83 CHECKSUM(SHA256) upstream package : d05675b92408fa3322c1fb267c4d63a91700aa9e6c26207a00779c0e78d52d83 Generated by fedora-review 0.6.0 (3c5c9d7) last change: 2015-05-20 Command line :/usr/bin/fedora-review -rn /home/luto/rpmbuild/SRPMS/u2f-hidraw-policy-1.0.1-1.fc22.src.rpm Buildroot used: fedora-21-x86_64 Active plugins: Generic, Shell-api, C/C++ Disabled plugins: Java, Python, fonts, SugarActivity, Ocaml, Perl, Haskell, R, PHP, Ruby Disabled flags: EXARCH, DISTTAG, EPEL5, BATCH, EPEL6 amluto's scratch build of u2f-hidraw-policy-1.0.1-1.fc22.src.rpm for f22 completed http://koji.fedoraproject.org/koji/taskinfo?taskID=11506303 I'm seeing this issue on a fully uptodate FC22 machine. The security key extension fails, reporting "unknown error". If I run chrome as root, everything works OK. I built Andy's web.mit.edu/luto/www/fedora/u2f-hidraw-policy-1/u2f-hidraw-policy-1.0-1.fc22.src.rpm and installed u2f-hidraw-policy-1.0.1-1.fc22.x86_64.rpm but that didn't fix it. Using atimes I can see that something has read /usr/lib/udev/rules.d/60-u2f-hidraw.rules at boot time. When I replug the key, /var/log/messages has Oct 20 19:34:34 t61p kernel: usb 5-2: USB disconnect, device number 2 Oct 20 19:34:34 t61p systemd-udevd: error opening USB device 'descriptors' file Oct 20 19:34:36 t61p kernel: usb 5-2: new full-speed USB device number 3 using uhci_hcd Oct 20 19:34:37 t61p kernel: usb 5-2: New USB device found, idVendor=1050, idProduct=0211 Oct 20 19:34:37 t61p kernel: usb 5-2: New USB device strings: Mfr=1, Product=2, SerialNumber=0 Oct 20 19:34:37 t61p kernel: usb 5-2: Product: Yubico WinUSB Gnubby (gnubby1) Oct 20 19:34:37 t61p kernel: usb 5-2: Manufacturer: Yubico Oct 20 19:34:37 t61p mtp-probe: checking bus 5, device 3: "/sys/devices/pci0000:00/0000:00:1d.0/usb5/5-2" Oct 20 19:34:37 t61p mtp-probe: bus: 5, device: 3 was not an MTP device So... stumped. Why didn't Andy's thing work for me? I assume I can get some more info using that package's u2f-hidraw-policy-debuginfo-1.0.1-1.fc22.x86_64.rpm. How do I do that? Thanks. Can you unplug it, then start udevadm monitor --property, then plug it in, then post whatever it says here? The output of ls -l /dev/hidraw* with the key plugged in could also help. udevadm monitor --property: monitor will print the received events for: UDEV - the event which udev sends out after rule processing KERNEL - the kernel uevent KERNEL[77193.141965] add /devices/pci0000:00/0000:00:1d.0/usb5/5-2 (usb) ACTION=add BUSNUM=005 DEVNAME=/dev/bus/usb/005/006 DEVNUM=006 DEVPATH=/devices/pci0000:00/0000:00:1d.0/usb5/5-2 DEVTYPE=usb_device MAJOR=189 MINOR=517 PRODUCT=1050/211/20 SEQNUM=2432 SUBSYSTEM=usb TYPE=0/0/0 KERNEL[77193.145286] add /devices/pci0000:00/0000:00:1d.0/usb5/5-2/5-2:1.0 (usb) ACTION=add DEVPATH=/devices/pci0000:00/0000:00:1d.0/usb5/5-2/5-2:1.0 DEVTYPE=usb_interface INTERFACE=255/0/0 MODALIAS=usb:v1050p0211d0020dc00dsc00dp00icFFisc00ip00in00 PRODUCT=1050/211/20 SEQNUM=2433 SUBSYSTEM=usb TYPE=0/0/0 UDEV [77193.155278] add /devices/pci0000:00/0000:00:1d.0/usb5/5-2 (usb) ACTION=add BUSNUM=005 DEVNAME=/dev/bus/usb/005/006 DEVNUM=006 DEVPATH=/devices/pci0000:00/0000:00:1d.0/usb5/5-2 DEVTYPE=usb_device ID_BUS=usb ID_MODEL=Yubico_WinUSB_Gnubby__gnubby1_ ID_MODEL_ENC=Yubico\x20WinUSB\x20Gnubby\x20\x28gnubby1\x29 ID_MODEL_FROM_DATABASE=Gnubby ID_MODEL_ID=0211 ID_REVISION=0020 ID_SERIAL=Yubico_Yubico_WinUSB_Gnubby__gnubby1_ ID_USB_INTERFACES=:ff0000: ID_VENDOR=Yubico ID_VENDOR_ENC=Yubico ID_VENDOR_FROM_DATABASE=Yubico.com ID_VENDOR_ID=1050 MAJOR=189 MINOR=517 PRODUCT=1050/211/20 SEQNUM=2432 SUBSYSTEM=usb TYPE=0/0/0 USEC_INITIALIZED=193142578 UDEV [77194.167240] add /devices/pci0000:00/0000:00:1d.0/usb5/5-2/5-2:1.0 (usb) ACTION=add DEVPATH=/devices/pci0000:00/0000:00:1d.0/usb5/5-2/5-2:1.0 DEVTYPE=usb_interface ID_MODEL_FROM_DATABASE=Gnubby ID_VENDOR_FROM_DATABASE=Yubico.com INTERFACE=255/0/0 MODALIAS=usb:v1050p0211d0020dc00dsc00dp00icFFisc00ip00in00 PRODUCT=1050/211/20 SEQNUM=2433 SUBSYSTEM=usb TYPE=0/0/0 USEC_INITIALIZED=3145168 t61p:/home/akpm> ls -l /dev/hidr* crw-------. 1 root root 248, 0 Oct 20 19:32 /dev/hidraw0 crw-------. 1 root root 248, 1 Oct 20 19:32 /dev/hidraw1 I'm not seeing any significant-looking differences between the udevadm output on this machine versus my "goobuntu" desktop machine at google (which works OK). If there's any useful poking I can do at the goobuntu machine to find out what they did to make it work, let me know... That's weird -- your system doesn't seem to be enumerating it as a hidraw device at all. You could try to figure out what device node Chrome is opening. I'm going to see if I can get myself an example of this exact device. I straced the whole operation (start chrome, try to authenticate). t61p:/home/akpm> grep hiddev log-chrome 7882 readlink("/sys/class/usbmisc/hiddev0", "../../devices/pci0000:00/0000:00"..., 1024) = 70 7882 stat("/sys/devices/pci0000:00/0000:00:1a.1/usb4/4-1/4-1:1.2/usbmisc/hiddev0/uevent", {st_mode=S_IFREG|0644, st_size=4096, ...}) = 0 7882 readlink("/sys/devices/pci0000:00/0000:00:1a.1/usb4/4-1/4-1:1.2/usbmisc/hiddev0", 0x7f92b5d3cf80, 1024) = -1 EINVAL (Invalid argument) 7882 stat("/sys/devices/pci0000:00/0000:00:1a.1/usb4/4-1/4-1:1.2/usbmisc/hiddev0/uevent", {st_mode=S_IFREG|0644, st_size=4096, ...}) = 0 7882 readlink("/sys/devices/pci0000:00/0000:00:1a.1/usb4/4-1/4-1:1.2/usbmisc/hiddev0/subsystem", "../../../../../../../../class/us"..., 1024) = 37 t61p:/home/akpm> grep "/dev/.*hiddev" log-chrome t61p:/home/akpm> So yeah, for some reason it isn't even attempting to open the device nodes. Running google-chrome-stable-46.0.2490.71-1.x86_64. doh, I had hiddev and hidraw confused. t61p:/home/akpm> grep hidraw log-chrome 7882 openat(AT_FDCWD, "/sys/class/hidraw", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 223 7882 readlink("/sys/class/hidraw/hidraw0", "../../devices/pci0000:00/0000:00"..., 1024) = 89 7882 stat("/sys/devices/pci0000:00/0000:00:1a.1/usb4/4-1/4-1:1.2/0003:046D:C52B.0003/hidraw/hidraw0/uevent", {st_mode=S_IFREG|0644, st_size=4096, ...}) = 0 7882 readlink("/sys/class/hidraw/hidraw1", "../../devices/pci0000:00/0000:00"..., 1024) = 109 7882 stat("/sys/devices/pci0000:00/0000:00:1a.1/usb4/4-1/4-1:1.2/0003:046D:C52B.0003/0003:046D:400A.0004/hidraw/hidraw1/uevent", {st_mode=S_IFREG|0644, st_size=4096, ...}) = 0 7882 readlink("/sys/devices/pci0000:00/0000:00:1a.1/usb4/4-1/4-1:1.2/0003:046D:C52B.0003/0003:046D:400A.0004/hidraw/hidraw1", 0x7f92b5d3cf80, 1024) = -1 EINVAL (Invalid argument) 7882 stat("/sys/devices/pci0000:00/0000:00:1a.1/usb4/4-1/4-1:1.2/0003:046D:C52B.0003/0003:046D:400A.0004/hidraw/hidraw1/uevent", {st_mode=S_IFREG|0644, st_size=4096, ...}) = 0 7882 readlink("/sys/devices/pci0000:00/0000:00:1a.1/usb4/4-1/4-1:1.2/0003:046D:C52B.0003/0003:046D:400A.0004/hidraw/hidraw1/subsystem", "../../../../../../../../../../cl"..., 1024) = 42 7882 open("/sys/devices/pci0000:00/0000:00:1a.1/usb4/4-1/4-1:1.2/0003:046D:C52B.0003/0003:046D:400A.0004/hidraw/hidraw1/uevent", O_RDONLY|O_CLOEXEC) = 220 7882 read(220, "MAJOR=248\nMINOR=1\nDEVNAME=hidraw"..., 4096) = 34 7882 readlink("/sys/devices/pci0000:00/0000:00:1a.1/usb4/4-1/4-1:1.2/0003:046D:C52B.0003/0003:046D:400A.0004/hidraw", 0x7f92b5d3ca10, 1024) = -1 EINVAL (Invalid argument) 7882 stat("/sys/devices/pci0000:00/0000:00:1a.1/usb4/4-1/4-1:1.2/0003:046D:C52B.0003/0003:046D:400A.0004/hidraw/uevent", 0x7f92b5d3c580) = -1 ENOENT (No such file or directory) 7882 readlink("/sys/devices/pci0000:00/0000:00:1a.1/usb4/4-1/4-1:1.2/0003:046D:C52B.0003/hidraw/hidraw0", 0x7f92b5d3cf80, 1024) = -1 EINVAL (Invalid argument) 7882 stat("/sys/devices/pci0000:00/0000:00:1a.1/usb4/4-1/4-1:1.2/0003:046D:C52B.0003/hidraw/hidraw0/uevent", {st_mode=S_IFREG|0644, st_size=4096, ...}) = 0 7882 readlink("/sys/devices/pci0000:00/0000:00:1a.1/usb4/4-1/4-1:1.2/0003:046D:C52B.0003/hidraw/hidraw0/subsystem", "../../../../../../../../../class"..., 1024) = 39 7882 open("/sys/devices/pci0000:00/0000:00:1a.1/usb4/4-1/4-1:1.2/0003:046D:C52B.0003/hidraw/hidraw0/uevent", O_RDONLY|O_CLOEXEC) = 220 7882 read(220, "MAJOR=248\nMINOR=0\nDEVNAME=hidraw"..., 4096) = 34 7882 readlink("/sys/devices/pci0000:00/0000:00:1a.1/usb4/4-1/4-1:1.2/0003:046D:C52B.0003/hidraw", 0x7f92b5d3ca10, 1024) = -1 EINVAL (Invalid argument) 7882 stat("/sys/devices/pci0000:00/0000:00:1a.1/usb4/4-1/4-1:1.2/0003:046D:C52B.0003/hidraw/uevent", 0x7f92b5d3c580) = -1 ENOENT (No such file or directory) Still no attempt to open /dev/hidraw*. I'm guessing that your device is a "gnubby", which is possibly complaint with the U2F crypto spec but may not be compliant with the U2F HID spec [1], which is what u2f-hidraw-policy is for. For reference, this seems to be the browser-side driver: https://github.com/google/u2f-ref-code/blob/master/u2f-chrome-extension/usbgnubbydevice.js and it's enumerating a specific USB vendor and model, and it seems to match your gadget. [1] https://fidoalliance.org/specs/fido-u2f-v1.0-nfc-bt-amendment-20150514/fido-u2f-hid-protocol.html I have an up to date system with F22. I received my $10 github yubikey yesterday and could not get it to work until I changed the permissions on /dev/hidraw* to allow me to read and write it. Today I found this bug report. I cloned the github repo for u2f-hidraw-policy and made and installed it. Now it works fine with stock permissons on /dev/hidraw*. This may just be adding some useless noise but I thought it worth providing this info. $ udevadm monitor --property monitor will print the received events for: UDEV - the event which udev sends out after rule processing KERNEL - the kernel uevent KERNEL[2770.992782] add /devices/pci0000:00/0000:00:12.0/usb7/7-2 (usb) ACTION=add BUSNUM=007 DEVNAME=/dev/bus/usb/007/006 DEVNUM=006 DEVPATH=/devices/pci0000:00/0000:00:12.0/usb7/7-2 DEVTYPE=usb_device MAJOR=189 MINOR=773 PRODUCT=1050/120/418 SEQNUM=2530 SUBSYSTEM=usb TYPE=0/0/0 KERNEL[2770.994639] add /devices/pci0000:00/0000:00:12.0/usb7/7-2/7-2:1.0 (usb) ACTION=add DEVPATH=/devices/pci0000:00/0000:00:12.0/usb7/7-2/7-2:1.0 DEVTYPE=usb_interface INTERFACE=3/0/0 MODALIAS=usb:v1050p0120d0418dc00dsc00dp00ic03isc00ip00in00 PRODUCT=1050/120/418 SEQNUM=2531 SUBSYSTEM=usb TYPE=0/0/0 KERNEL[2770.998741] add /devices/pci0000:00/0000:00:12.0/usb7/7-2/7-2:1.0/0003:1050:0120.0006 (hid) ACTION=add DEVPATH=/devices/pci0000:00/0000:00:12.0/usb7/7-2/7-2:1.0/0003:1050:0120.0006 HID_ID=0003:00001050:00000120 HID_NAME=Yubico Security Key by Yubico HID_PHYS=usb-0000:00:12.0-2/input0 MODALIAS=hid:b0003g0001v00001050p00000120 SEQNUM=2532 SUBSYSTEM=hid I didn't get a good copy for comment 11. Sorry about that. $ udevadm monitor --property monitor will print the received events for: UDEV - the event which udev sends out after rule processing KERNEL - the kernel uevent KERNEL[2770.992782] add /devices/pci0000:00/0000:00:12.0/usb7/7-2 (usb) ACTION=add BUSNUM=007 DEVNAME=/dev/bus/usb/007/006 DEVNUM=006 DEVPATH=/devices/pci0000:00/0000:00:12.0/usb7/7-2 DEVTYPE=usb_device MAJOR=189 MINOR=773 PRODUCT=1050/120/418 SEQNUM=2530 SUBSYSTEM=usb TYPE=0/0/0 KERNEL[2770.994639] add /devices/pci0000:00/0000:00:12.0/usb7/7-2/7-2:1.0 (usb) ACTION=add DEVPATH=/devices/pci0000:00/0000:00:12.0/usb7/7-2/7-2:1.0 DEVTYPE=usb_interface INTERFACE=3/0/0 MODALIAS=usb:v1050p0120d0418dc00dsc00dp00ic03isc00ip00in00 PRODUCT=1050/120/418 SEQNUM=2531 SUBSYSTEM=usb TYPE=0/0/0 KERNEL[2770.998741] add /devices/pci0000:00/0000:00:12.0/usb7/7-2/7-2:1.0/0003:1050:0120.0006 (hid) ACTION=add DEVPATH=/devices/pci0000:00/0000:00:12.0/usb7/7-2/7-2:1.0/0003:1050:0120.0006 HID_ID=0003:00001050:00000120 HID_NAME=Yubico Security Key by Yubico HID_PHYS=usb-0000:00:12.0-2/input0 MODALIAS=hid:b0003g0001v00001050p00000120 SEQNUM=2532 SUBSYSTEM=hid KERNEL[2771.000733] add /devices/pci0000:00/0000:00:12.0/usb7/7-2/7-2:1.0/usbmisc/hiddev0 (usbmisc) ACTION=add DEVNAME=/dev/usb/hiddev0 DEVPATH=/devices/pci0000:00/0000:00:12.0/usb7/7-2/7-2:1.0/usbmisc/hiddev0 MAJOR=180 MINOR=96 SEQNUM=2533 SUBSYSTEM=usbmisc KERNEL[2771.000958] add /devices/pci0000:00/0000:00:12.0/usb7/7-2/7-2:1.0/0003:1050:0120.0006/hidraw/hidraw0 (hidraw) ACTION=add DEVNAME=/dev/hidraw0 DEVPATH=/devices/pci0000:00/0000:00:12.0/usb7/7-2/7-2:1.0/0003:1050:0120.0006/hidraw/hidraw0 MAJOR=248 MINOR=0 SEQNUM=2534 SUBSYSTEM=hidraw UDEV [2771.010663] add /devices/pci0000:00/0000:00:12.0/usb7/7-2 (usb) ACTION=add BUSNUM=007 DEVNAME=/dev/bus/usb/007/006 DEVNUM=006 DEVPATH=/devices/pci0000:00/0000:00:12.0/usb7/7-2 DEVTYPE=usb_device ID_BUS=usb ID_MODEL=Security_Key_by_Yubico ID_MODEL_ENC=Security\x20Key\x20by\x20Yubico ID_MODEL_FROM_DATABASE=Yubikey Touch U2F Security Key ID_MODEL_ID=0120 ID_REVISION=0418 ID_SERIAL=Yubico_Security_Key_by_Yubico ID_USB_INTERFACES=:030000: ID_VENDOR=Yubico ID_VENDOR_ENC=Yubico ID_VENDOR_FROM_DATABASE=Yubico.com ID_VENDOR_ID=1050 MAJOR=189 MINOR=773 PRODUCT=1050/120/418 SEQNUM=2530 SUBSYSTEM=usb TYPE=0/0/0 USEC_INITIALIZED=70992956 UDEV [2771.015809] add /devices/pci0000:00/0000:00:12.0/usb7/7-2/7-2:1.0 (usb) ACTION=add DEVPATH=/devices/pci0000:00/0000:00:12.0/usb7/7-2/7-2:1.0 DEVTYPE=usb_interface ID_MODEL_FROM_DATABASE=Yubikey Touch U2F Security Key ID_VENDOR_FROM_DATABASE=Yubico.com INTERFACE=3/0/0 MODALIAS=usb:v1050p0120d0418dc00dsc00dp00ic03isc00ip00in00 PRODUCT=1050/120/418 SEQNUM=2531 SUBSYSTEM=usb TYPE=0/0/0 USEC_INITIALIZED=994744 UDEV [2771.021696] add /devices/pci0000:00/0000:00:12.0/usb7/7-2/7-2:1.0/0003:1050:0120.0006 (hid) ACTION=add DEVPATH=/devices/pci0000:00/0000:00:12.0/usb7/7-2/7-2:1.0/0003:1050:0120.0006 DRIVER=hid-generic HID_ID=0003:00001050:00000120 HID_NAME=Yubico Security Key by Yubico HID_PHYS=usb-0000:00:12.0-2/input0 ID_BUS=usb ID_MODEL=Security_Key_by_Yubico ID_MODEL_ENC=Security\x20Key\x20by\x20Yubico ID_MODEL_ID=0120 ID_REVISION=0418 ID_SERIAL=Yubico_Security_Key_by_Yubico ID_TYPE=hid ID_USB_DRIVER=usbhid ID_USB_INTERFACES=:030000: ID_USB_INTERFACE_NUM=00 ID_VENDOR=Yubico ID_VENDOR_ENC=Yubico ID_VENDOR_ID=1050 MODALIAS=hid:b0003g0001v00001050p00000120 SEQNUM=2532 SUBSYSTEM=hid USEC_INITIALIZED=998847 UDEV [2771.022284] add /devices/pci0000:00/0000:00:12.0/usb7/7-2/7-2:1.0/usbmisc/hiddev0 (usbmisc) ACTION=add DEVNAME=/dev/usb/hiddev0$ udevadm monitor --property monitor will print the received events for: UDEV - the event which udev sends out after rule processing KERNEL - the kernel uevent KERNEL[2770.992782] add /devices/pci0000:00/0000:00:12.0/usb7/7-2 (usb) ACTION=add BUSNUM=007 DEVNAME=/dev/bus/usb/007/006 DEVNUM=006 DEVPATH=/devices/pci0000:00/0000:00:12.0/usb7/7-2 DEVTYPE=usb_device MAJOR=189 MINOR=773 PRODUCT=1050/120/418 SEQNUM=2530 SUBSYSTEM=usb TYPE=0/0/0 KERNEL[2770.994639] add /devices/pci0000:00/0000:00:12.0/usb7/7-2/7-2:1.0 (usb) ACTION=add DEVPATH=/devices/pci0000:00/0000:00:12.0/usb7/7-2/7-2:1.0 DEVTYPE=usb_interface INTERFACE=3/0/0 MODALIAS=usb:v1050p0120d0418dc00dsc00dp00ic03isc00ip00in00 PRODUCT=1050/120/418 SEQNUM=2531 SUBSYSTEM=usb TYPE=0/0/0 KERNEL[2770.998741] add /devices/pci0000:00/0000:00:12.0/usb7/7-2/7-2:1.0/0003:1050:0120.0006 (hid) ACTION=add DEVPATH=/devices/pci0000:00/0000:00:12.0/usb7/7-2/7-2:1.0/0003:1050:0120.0006 HID_ID=0003:00001050:00000120 HID_NAME=Yubico Security Key by Yubico HID_PHYS=usb-0000:00:12.0-2/input0 MODALIAS=hid:b0003g0001v00001050p00000120 SEQNUM=2532 SUBSYSTEM=hid KERNEL[2771.000733] add /devices/pci0000:00/0000:00:12.0/usb7/7-2/7-2:1.0/usbmisc/hiddev0 (usbmisc) ACTION=add DEVNAME=/dev/usb/hiddev0 DEVPATH=/devices/pci0000:00/0000:00:12.0/usb7/7-2/7-2:1.0/usbmisc/hiddev0 MAJOR=180 MINOR=96 SEQNUM=2533 SUBSYSTEM=usbmisc KERNEL[2771.000958] add /devices/pci0000:00/0000:00:12.0/usb7/7-2/7-2:1.0/0003:1050:0120.0006/hidraw/hidraw0 (hidraw) ACTION=add DEVNAME=/dev/hidraw0 DEVPATH=/devices/pci0000:00/0000:00:12.0/usb7/7-2/7-2:1.0/0003:1050:0120.0006/hidraw/hidraw0 MAJOR=248 MINOR=0 SEQNUM=2534 SUBSYSTEM=hidraw UDEV [2771.010663] add /devices/pci0000:00/0000:00:12.0/usb7/7-2 (usb) ACTION=add BUSNUM=007 DEVNAME=/dev/bus/usb/007/006 DEVNUM=006 DEVPATH=/devices/pci0000:00/0000:00:12.0/usb7/7-2 DEVTYPE=usb_device ID_BUS=usb ID_MODEL=Security_Key_by_Yubico ID_MODEL_ENC=Security\x20Key\x20by\x20Yubico ID_MODEL_FROM_DATABASE=Yubikey Touch U2F Security Key ID_MODEL_ID=0120 ID_REVISION=0418 ID_SERIAL=Yubico_Security_Key_by_Yubico ID_USB_INTERFACES=:030000: ID_VENDOR=Yubico ID_VENDOR_ENC=Yubico ID_VENDOR_FROM_DATABASE=Yubico.com ID_VENDOR_ID=1050 MAJOR=189 MINOR=773 PRODUCT=1050/120/418 SEQNUM=2530 SUBSYSTEM=usb TYPE=0/0/0 USEC_INITIALIZED=70992956 UDEV [2771.015809] add /devices/pci0000:00/0000:00:12.0/usb7/7-2/7-2:1.0 (usb) ACTION=add DEVPATH=/devices/pci0000:00/0000:00:12.0/usb7/7-2/7-2:1.0 DEVTYPE=usb_interface ID_MODEL_FROM_DATABASE=Yubikey Touch U2F Security Key ID_VENDOR_FROM_DATABASE=Yubico.com INTERFACE=3/0/0 MODALIAS=usb:v1050p0120d0418dc00dsc00dp00ic03isc00ip00in00 PRODUCT=1050/120/418 SEQNUM=2531 SUBSYSTEM=usb TYPE=0/0/0 USEC_INITIALIZED=994744 UDEV [2771.021696] add /devices/pci0000:00/0000:00:12.0/usb7/7-2/7-2:1.0/0003:1050:0120.0006 (hid) ACTION=add DEVPATH=/devices/pci0000:00/0000:00:12.0/usb7/7-2/7-2:1.0/0003:1050:0120.0006 DRIVER=hid-generic HID_ID=0003:00001050:00000120 HID_NAME=Yubico Security Key by Yubico HID_PHYS=usb-0000:00:12.0-2/input0 ID_BUS=usb ID_MODEL=Security_Key_by_Yubico ID_MODEL_ENC=Security\x20Key\x20by\x20Yubico ID_MODEL_ID=0120 ID_REVISION=0418 ID_SERIAL=Yubico_Security_Key_by_Yubico ID_TYPE=hid ID_USB_DRIVER=usbhid ID_USB_INTERFACES=:030000: ID_USB_INTERFACE_NUM=00 ID_VENDOR=Yubico ID_VENDOR_ENC=Yubico ID_VENDOR_ID=1050 MODALIAS=hid:b0003g0001v00001050p00000120 SEQNUM=2532 SUBSYSTEM=hid USEC_INITIALIZED=998847 UDEV [2771.022284] add /devices/pci0000:00/0000:00:12.0/usb7/7-2/7-2:1.0/usbmisc/hiddev0 (usbmisc) ACTION=add DEVNAME=/dev/usb/hiddev0 DEVPATH=/devices/pci0000:00/0000:00:12.0/usb7/7-2/7-2:1.0/usbmisc/hiddev0 ID_BUS=usb ID_MODEL=Security_Key_by_Yubico ID_MODEL_ENC=Security\x20Key\x20by\x20Yubico ID_MODEL_ID=0120 ID_REVISION=0418 ID_SERIAL=Yubico_Security_Key_by_Yubico ID_TYPE=hid ID_USB_DRIVER=usbhid ID_USB_INTERFACES=:030000: ID_USB_INTERFACE_NUM=00 ID_VENDOR=Yubico ID_VENDOR_ENC=Yubico ID_VENDOR_ID=1050 MAJOR=180 MINOR=96 SEQNUM=2533 SUBSYSTEM=usbmisc USEC_INITIALIZED=71001362 UDEV [2771.033953] add /devices/pci0000:00/0000:00:12.0/usb7/7-2/7-2:1.0/0003:1050:0120.0006/hidraw/hidraw0 (hidraw) ACTION=add DEVNAME=/dev/hidraw0 DEVPATH=/devices/pci0000:00/0000:00:12.0/usb7/7-2/7-2:1.0/0003:1050:0120.0006/hidraw/hidraw0 ID_BUS=usb ID_FOR_SEAT=hidraw-pci-0000_00_12_0-usb-0_2_1_0 ID_MODEL=Security_Key_by_Yubico ID_MODEL_ENC=Security\x20Key\x20by\x20Yubico ID_MODEL_ID=0120 ID_PATH=pci-0000:00:12.0-usb-0:2:1.0 ID_PATH_TAG=pci-0000_00_12_0-usb-0_2_1_0 ID_REVISION=0418 ID_SECURITY_TOKEN=1 ID_SERIAL=Yubico_Security_Key_by_Yubico ID_TYPE=hid ID_U2F_TOKEN=1 ID_USB_DRIVER=usbhid ID_USB_INTERFACES=:030000: ID_USB_INTERFACE_NUM=00 ID_VENDOR=Yubico ID_VENDOR_ENC=Yubico ID_VENDOR_ID=1050 MAJOR=248 MINOR=0 SEQNUM=2534 SUBSYSTEM=hidraw TAGS=:seat:uaccess: USEC_INITIALIZED=1397 DEVPATH=/devices/pci0000:00/0000:00:12.0/usb7/7-2/7-2:1.0/usbmisc/hiddev0 ID_BUS=usb ID_MODEL=Security_Key_by_Yubico ID_MODEL_ENC=Security\x20Key\x20by\x20Yubico ID_MODEL_ID=0120 ID_REVISION=0418 ID_SERIAL=Yubico_Security_Key_by_Yubico ID_TYPE=hid ID_USB_DRIVER=usbhid ID_USB_INTERFACES=:030000: ID_USB_INTERFACE_NUM=00 ID_VENDOR=Yubico ID_VENDOR_ENC=Yubico ID_VENDOR_ID=1050 MAJOR=180 MINOR=96 SEQNUM=2533 SUBSYSTEM=usbmisc USEC_INITIALIZED=71001362 UDEV [2771.033953] add /devices/pci0000:00/0000:00:12.0/usb7/7-2/7-2:1.0/0003:1050:0120.0006/hidraw/hidraw0 (hidraw) ACTION=add DEVNAME=/dev/hidraw0 DEVPATH=/devices/pci0000:00/0000:00:12.0/usb7/7-2/7-2:1.0/0003:1050:0120.0006/hidraw/hidraw0 ID_BUS=usb ID_FOR_SEAT=hidraw-pci-0000_00_12_0-usb-0_2_1_0 ID_MODEL=Security_Key_by_Yubico ID_MODEL_ENC=Security\x20Key\x20by\x20Yubico ID_MODEL_ID=0120 ID_PATH=pci-0000:00:12.0-usb-0:2:1.0 ID_PATH_TAG=pci-0000_00_12_0-usb-0_2_1_0 ID_REVISION=0418 ID_SECURITY_TOKEN=1 ID_SERIAL=Yubico_Security_Key_by_Yubico ID_TYPE=hid ID_U2F_TOKEN=1 ID_USB_DRIVER=usbhid ID_USB_INTERFACES=:030000: ID_USB_INTERFACE_NUM=00 ID_VENDOR=Yubico ID_VENDOR_ENC=Yubico ID_VENDOR_ID=1050 MAJOR=248 MINOR=0 SEQNUM=2534 SUBSYSTEM=hidraw TAGS=:seat:uaccess: USEC_INITIALIZED=1397 Just a couple things: - Add systemd as a BuildRequires then you can use %_udevrulesdir to refer to the udev rules path - Add %udev_rules_update in a new %post section My fedora-review matches yours so I won't repost. amluto's scratch build of u2f-hidraw-policy-1.0.2-1.fc22.src.rpm for f22 failed http://koji.fedoraproject.org/koji/taskinfo?taskID=11644284 amluto's scratch build of u2f-hidraw-policy-1.0.2-1.fc22.src.rpm for f22 failed http://koji.fedoraproject.org/koji/taskinfo?taskID=11644400 I'm reasonably confident that udev uses inotify to notice changes, so the scriptlet isn't needed. I switched to using _udevrulesdir, and I updated to a new upstream version with your install -d fix (and dropped the mkdir). I also hardened the build. Spec URL: http://web.mit.edu/luto/www/fedora/u2f-hidraw-policy-3/u2f-hidraw-policy.spec SRPM URL: http://web.mit.edu/luto/www/fedora/u2f-hidraw-policy-3/u2f-hidraw-policy-1.0.2-1.fc22.src.rpm Koji scratch build: http://koji.fedoraproject.org/koji/taskinfo?taskID=11644428 amluto's scratch build of u2f-hidraw-policy-1.0.2-1.fc22.src.rpm for f22 completed http://koji.fedoraproject.org/koji/taskinfo?taskID=11644428 Looks good! You are correct the udev autorefreshed on new rules. Package request has been approved: https://admin.fedoraproject.org/pkgdb/package/u2f-hidraw-policy u2f-hidraw-policy-1.0.2-1.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-fc49e8ae43 u2f-hidraw-policy-1.0.2-1.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-a1ed069ab8 u2f-hidraw-policy-1.0.2-1.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with $ su -c 'dnf --enablerepo=updates-testing update u2f-hidraw-policy' You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-fc49e8ae43 u2f-hidraw-policy-1.0.2-1.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with $ su -c 'dnf --enablerepo=updates-testing update u2f-hidraw-policy' You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-a1ed069ab8 u2f-hidraw-policy-1.0.2-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. u2f-hidraw-policy-1.0.2-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. Wrapping up my end of things... Andy confirmed that my gnubby key is an old one which doesn't fully implement the U2F HID spec. Here's his fix (which worked for me) (thanks) Like this, but double-check the vendor and product. # /etc/udev/rules.d/70-gnubby.rules ACTION!="add|change", GOTO="gnubby_end" ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0211", ENV{ID_SECURITY_TOKEN}="1" LABEL="gnubby_end" |