Description of problem: Problem: Plug in iPhone and it doesnt charge and triggers an selinux alert. Selinux is stopping usbmuxd from having read access on (my iphone?). If Selinux is set to enforcing this causes my iphone not to charge when plugged in. If Selinux is set to permissive the phone charges normally. SELinux is preventing /usr/sbin/usbmuxd from 'read' accesses on the file . ***** Plugin catchall_labels (83.8 confidence) suggests ******************* If you want to allow usbmuxd to have read access on the file Then you need to change the label on $FIX_TARGET_PATH Do # semanage fcontext -a -t FILE_TYPE '$FIX_TARGET_PATH' where FILE_TYPE is one of the following: NetworkManager_tmp_t, abrt_helper_exec_t, abrt_tmp_t, abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_var_run_t, admin_crontab_tmp_t, afs_cache_t, alsa_tmp_t, amanda_tmp_t, antivirus_tmp_t, apcupsd_tmp_t, apmd_tmp_t, arpwatch_tmp_t, asterisk_tmp_t, auditadm_sudo_tmp_t, automount_tmp_t, awstats_tmp_t, bin_t, bitlbee_tmp_t, bluetooth_helper_tmp_t, bluetooth_tmp_t, boinc_project_tmp_t, boinc_tmp_t, boot_t, bootloader_tmp_t, cardmgr_dev_t, ccs_tmp_t, cdcc_tmp_t, cert_t, chrome_sandbox_tmp_t, cinder_api_tmp_t, cinder_backup_tmp_t, cinder_scheduler_tmp_t, cinder_volume_tmp_t, cloud_init_tmp_t, cluster_tmp_t, cobbler_tmp_t, colord_tmp_t, comsat_tmp_t, condor_master_tmp_t, condor_schedd_tmp_t, condor_startd_tmp_t, couchdb_tmp_t, cpu_online_t, crack_tmp_t, crond_tmp_t, crontab_tmp_t, ctdbd_tmp_t, cups_pdf_tmp_t, cupsd_lpd_tmp_t, cupsd_tmp_t, cvs_tmp_t, cyphesis_tmp_t, cyrus_tmp_t, dbadm_sudo_tmp_t, dbskkd_tmp_t, dcc_client_tmp_t, dcc_dbclean_tmp_t, dccd_tmp_t, dccifd_tmp_t, dccm_tmp_t, ddclient_tmp_t, deltacloudd_tmp_t, devicekit_tmp_t, dhcpc_tmp_t, dhcpd_tmp_t, dirsrv_tmp_t, dirsrvadmin_tmp_t, disk_munin_plugin_tmp_t, dkim_milter_tmp_t, docker_tmp_t, dovecot_auth_tmp_t, dovecot_deliver_tmp_t, dovecot_tmp_t, etc_runtime_t, etc_t, exim_tmp_t, fail2ban_tmp_t, fenced_tmp_t, file_context_t, firewalld_tmp_t, firewallgui_tmp_t, fsadm_tmp_t, fsdaemon_tmp_t, ftpd_tmp_t, ftpdctl_tmp_t, games_tmp_t, gconf_tmp_t, geoclue_tmp_t, getty_tmp_t, gkeyringd_tmp_t, glance_registry_tmp_t, glance_tmp_t, glusterd_tmp_t, gpg_agent_tmp_t, gpg_pinentry_tmp_t, gpm_tmp_t, gssd_tmp_t, hostname_etc_t, httpd_bugzilla_tmp_t, httpd_collectd_script_tmp_t, httpd_mojomojo_tmp_t, httpd_munin_script_tmp_t, httpd_php_tmp_t, httpd_suexec_tmp_t, httpd_tmp_t, httpd_w3c_validator_tmp_t, inetd_child_tmp_t, inetd_tmp_t, init_tmp_t, initrc_tmp_t, ipsec_tmp_t, iptables_tmp_t, iscsi_tmp_t, kadmind_tmp_t, kdumpctl_tmp_t, kdumpgui_tmp_t, keystone_tmp_t, kismet_tmp_t, kismet_tmpfs_t, klogd_tmp_t, krb5_conf_t, krb5_host_rcache_t, krb5kdc_tmp_t, ktalkd_tmp_t, l2tpd_tmp_t, ld_so_cache_t, ld_so_t, ldconfig_tmp_t, lib_t, livecd_tmp_t, locale_t, logrotate_mail_tmp_t, logrotate_tmp_t, logwatch_mail_tmp_t, logwatch_tmp_t, lpd_tmp_t, lpr_tmp_t, lsassd_tmp_t, lsmd_plugin_tmp_t, lvm_tmp_t, machineid_t, mail_munin_plugin_tmp_t, mailman_cgi_tmp_t, mailman_mail_tmp_t, mailman_queue_tmp_t, man_cache_t, man_t, mandb_cache_t, mdadm_tmp_t, mock_tmp_t, mongod_tmp_t, mount_tmp_t, mozilla_plugin_tmp_t, mozilla_tmp_t, mpd_tmp_t, mscan_tmp_t, munin_tmp_t, mysqld_tmp_t, nagios_eventhandler_plugin_tmp_t, nagios_openshift_plugin_tmp_t, nagios_system_plugin_tmp_t, nagios_tmp_t, named_tmp_t, net_conf_t, netutils_tmp_t, neutron_tmp_t, nova_ajax_tmp_t, nova_api_tmp_t, nova_cert_tmp_t, nova_compute_tmp_t, nova_conductor_tmp_t, nova_console_tmp_t, nova_direct_tmp_t, nova_network_tmp_t, nova_objectstore_tmp_t, nova_scheduler_tmp_t, nova_vncproxy_tmp_t, nova_volume_tmp_t, ntop_tmp_t, ntpd_tmp_t, nx_server_tmp_t, openshift_cgroup_read_tmp_t, openshift_cron_tmp_t, openshift_initrc_tmp_t, openshift_tmp_t, openvpn_tmp_t, openvswitch_tmp_t, openwsman_tmp_t, pam_timestamp_tmp_t, passenger_tmp_t, passwd_file_t, pcp_tmp_t, pegasus_openlmi_storage_tmp_t, pegasus_tmp_t, piranha_web_tmp_t, pkcsslotd_tmp_t, pki_tomcat_tmp_t, podsleuth_tmp_t, policykit_tmp_t, portmap_tmp_t, postfix_bounce_tmp_t, postfix_cleanup_tmp_t, postfix_local_tmp_t, postfix_map_tmp_t, postfix_pickup_tmp_t, postfix_pipe_tmp_t, postfix_qmgr_tmp_t, postfix_smtp_tmp_t, postfix_smtpd_tmp_t, postfix_virtual_tmp_t, postgresql_tmp_t, pppd_tmp_t, prelink_exec_t, prelink_tmp_t, prelude_lml_tmp_t, proc_t, procmail_tmp_t, psad_tmp_t, puppet_tmp_t, puppetmaster_tmp_t, qpidd_tmp_t, racoon_tmp_t, realmd_tmp_t, rhev_agentd_tmp_t, rhsmcertd_tmp_t, ricci_tmp_t, rlogind_tmp_t, rpm_script_tmp_t, rpm_tmp_t, rsync_tmp_t, rtas_errd_tmp_t, samba_etc_t, samba_net_tmp_t, samba_var_t, sblim_tmp_t, secadm_sudo_tmp_t, sectool_tmp_t, selinux_munin_plugin_tmp_t, semanage_tmp_t, sendmail_tmp_t, services_munin_plugin_tmp_t, session_dbusd_tmp_t, sge_tmp_t, shell_exec_t, shorewall_tmp_t, slapd_tmp_t, smbd_tmp_t, smoltclient_tmp_t, smsd_tmp_t, snort_tmp_t, sosreport_tmp_t, soundd_tmp_t, spamc_tmp_t, spamd_tmp_t, speech-dispatcher_tmp_t, squid_tmp_t, squirrelmail_spool_t, src_t, ssh_agent_tmp_t, ssh_keygen_tmp_t, sssd_public_t, sssd_var_lib_t, staff_sudo_tmp_t, stapserver_tmp_t, stunnel_tmp_t, svirt_tmp_t, svnserve_tmp_t, swat_tmp_t, swift_tmp_t, sysadm_passwd_tmp_t, sysadm_sudo_tmp_t, sysfs_t, syslogd_tmp_t, system_conf_t, system_cronjob_tmp_t, system_db_t, system_dbusd_tmp_t, system_mail_tmp_t, system_munin_plugin_tmp_t, tcpd_tmp_t, telepathy_gabble_tmp_t, telepathy_idle_tmp_t, telepathy_logger_tmp_t, telepathy_mission_control_tmp_t, telepathy_msn_tmp_t, telepathy_salut_tmp_t, telepathy_sofiasip_tmp_t, telepathy_stream_engine_tmp_t, telepathy_sunshine_tmp_t, telnetd_tmp_t, tetex_data_t, textrel_shlib_t, tgtd_tmp_t, thumb_tmp_t, tmp_t, tomcat_tmp_t, tuned_tmp_t, tvtime_tmp_t, udev_tmp_t, uml_tmp_t, unconfined_munin_plugin_tmp_t, update_modules_tmp_t, usbmuxd_exec_t, usbmuxd_var_run_t, user_cron_spool_t, user_fonts_t, user_mail_tmp_t, user_tmp_t, usr_t, uucpd_tmp_t, var_spool_t, varnishd_tmp_t, virt_qemu_ga_tmp_t, virt_tmp_t, vmtools_tmp_t, vmware_host_tmp_t, vmware_tmp_t, vpnc_tmp_t, webadm_tmp_t, webalizer_tmp_t, wireshark_tmp_t, xauth_tmp_t, xdm_tmp_t, xend_tmp_t, xenstored_tmp_t, ypbind_tmp_t, ypserv_tmp_t, zabbix_tmp_t, zarafa_deliver_tmp_t, zarafa_indexer_tmp_t, zarafa_server_tmp_t, zarafa_var_lib_t, zebra_tmp_t. Then execute: restorecon -v '$FIX_TARGET_PATH' ***** Plugin catchall (17.1 confidence) suggests ************************** If you believe that usbmuxd should be allowed read access on the file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep usbmuxd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:usbmuxd_t:s0 Target Context system_u:object_r:var_lib_t:s0 Target Objects [ file ] Source usbmuxd Source Path /usr/sbin/usbmuxd Port <Unknown> Host (removed) Source RPM Packages usbmuxd-1.0.9-0.4.c24463e.fc20.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-179.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 3.15.9-200.fc20.x86_64 #1 SMP Sat Aug 9 09:02:55 UTC 2014 x86_64 x86_64 Alert Count 5 First Seen 2014-08-15 06:34:01 PDT Last Seen 2014-08-15 06:34:53 PDT Local ID 8264fa7e-d302-41c0-8fd7-0a84ce56f31d Raw Audit Messages type=AVC msg=audit(1408109693.832:419): avc: denied { read } for pid=754 comm="usbmuxd" name="SystemConfiguration.plist" dev="sda2" ino=1058731 scontext=system_u:system_r:usbmuxd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=AVC msg=audit(1408109693.832:419): avc: denied { open } for pid=754 comm="usbmuxd" path="/var/lib/lockdown/SystemConfiguration.plist" dev="sda2" ino=1058731 scontext=system_u:system_r:usbmuxd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1408109693.832:419): arch=x86_64 syscall=open success=yes exit=ESPIPE a0=bafb80 a1=0 a2=1b6 a3=0 items=0 ppid=1 pid=754 auid=4294967295 uid=113 gid=113 euid=113 suid=113 fsuid=113 egid=113 sgid=113 fsgid=113 tty=(none) ses=4294967295 comm=usbmuxd exe=/usr/sbin/usbmuxd subj=system_u:system_r:usbmuxd_t:s0 key=(null) Hash: usbmuxd,usbmuxd_t,var_lib_t,file,read Additional info: reporter: libreport-2.2.3 hashmarkername: setroubleshoot kernel: 3.15.9-200.fc20.x86_64 type: libreport
This is fixed in current release. https://github.com/selinux-policy/selinux-policy/commit/3069587b0df9c0dcd32079b6becaeb20f0a68d72
Still running into this problem, despite upgrading selinux-policy today, and rebooting after the upgrade. SELinux is preventing /usr/sbin/usbmuxd from read access on the file . ***** Plugin catchall_labels (83.8 confidence) suggests ******************* If you want to allow usbmuxd to have read access on the file Then you need to change the label on $FIX_TARGET_PATH Do # semanage fcontext -a -t FILE_TYPE '$FIX_TARGET_PATH' where FILE_TYPE is one of the following: NetworkManager_tmp_t, abrt_helper_exec_t, abrt_tmp_t, abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_var_run_t, admin_crontab_tmp_t, afs_cache_t, alsa_tmp_t, amanda_tmp_t, antivirus_tmp_t, apcupsd_tmp_t, apmd_tmp_t, arpwatch_tmp_t, asterisk_tmp_t, auditadm_sudo_tmp_t, automount_tmp_t, awstats_tmp_t, bin_t, bitlbee_tmp_t, bluetooth_helper_tmp_t, bluetooth_tmp_t, boinc_project_tmp_t, boinc_tmp_t, boot_t, bootloader_tmp_t, cardmgr_dev_t, ccs_tmp_t, cdcc_tmp_t, cert_t, chrome_sandbox_tmp_t, cinder_api_tmp_t, cinder_backup_tmp_t, cinder_scheduler_tmp_t, cinder_volume_tmp_t, cloud_init_tmp_t, cluster_tmp_t, cobbler_tmp_t, colord_tmp_t, comsat_tmp_t, condor_master_tmp_t, condor_schedd_tmp_t, condor_startd_tmp_t, couchdb_tmp_t, cpu_online_t, crack_tmp_t, crond_tmp_t, crontab_tmp_t, ctdbd_tmp_t, cups_pdf_tmp_t, cupsd_lpd_tmp_t, cupsd_tmp_t, cvs_tmp_t, cyphesis_tmp_t, cyrus_tmp_t, dbadm_sudo_tmp_t, dbskkd_tmp_t, dcc_client_tmp_t, dcc_dbclean_tmp_t, dccd_tmp_t, dccifd_tmp_t, dccm_tmp_t, ddclient_tmp_t, deltacloudd_tmp_t, devicekit_tmp_t, dhcpc_tmp_t, dhcpd_tmp_t, dirsrv_tmp_t, dirsrvadmin_tmp_t, disk_munin_plugin_tmp_t, dkim_milter_tmp_t, docker_tmp_t, dovecot_auth_tmp_t, dovecot_deliver_tmp_t, dovecot_tmp_t, etc_runtime_t, etc_t, exim_tmp_t, fail2ban_tmp_t, fenced_tmp_t, file_context_t, firewalld_tmp_t, firewallgui_tmp_t, fsadm_tmp_t, fsdaemon_tmp_t, ftpd_tmp_t, ftpdctl_tmp_t, games_tmp_t, gconf_tmp_t, geoclue_tmp_t, getty_tmp_t, gkeyringd_tmp_t, glance_registry_tmp_t, glance_tmp_t, glusterd_tmp_t, gpg_agent_tmp_t, gpg_pinentry_tmp_t, gpm_tmp_t, gssd_tmp_t, hostname_etc_t, httpd_bugzilla_tmp_t, httpd_collectd_script_tmp_t, httpd_mojomojo_tmp_t, httpd_munin_script_tmp_t, httpd_php_tmp_t, httpd_suexec_tmp_t, httpd_tmp_t, httpd_w3c_validator_tmp_t, inetd_child_tmp_t, inetd_tmp_t, init_tmp_t, initrc_tmp_t, ipsec_tmp_t, iptables_tmp_t, iscsi_tmp_t, kadmind_tmp_t, kdumpctl_tmp_t, kdumpgui_tmp_t, keystone_tmp_t, kismet_tmp_t, kismet_tmpfs_t, klogd_tmp_t, krb5_conf_t, krb5_host_rcache_t, krb5kdc_tmp_t, ktalkd_tmp_t, l2tpd_tmp_t, ld_so_cache_t, ld_so_t, ldconfig_tmp_t, lib_t, livecd_tmp_t, locale_t, logrotate_mail_tmp_t, logrotate_tmp_t, logwatch_mail_tmp_t, logwatch_tmp_t, lpd_tmp_t, lpr_tmp_t, lsassd_tmp_t, lsmd_plugin_tmp_t, lvm_tmp_t, machineid_t, mail_munin_plugin_tmp_t, mailman_cgi_tmp_t, mailman_mail_tmp_t, mailman_queue_tmp_t, man_cache_t, man_t, mandb_cache_t, mdadm_tmp_t, mock_tmp_t, mongod_tmp_t, mount_tmp_t, mozilla_plugin_tmp_t, mozilla_tmp_t, mpd_tmp_t, mscan_tmp_t, munin_tmp_t, mysqld_tmp_t, nagios_eventhandler_plugin_tmp_t, nagios_openshift_plugin_tmp_t, nagios_system_plugin_tmp_t, nagios_tmp_t, named_tmp_t, net_conf_t, netutils_tmp_t, neutron_tmp_t, nova_ajax_tmp_t, nova_api_tmp_t, nova_cert_tmp_t, nova_compute_tmp_t, nova_conductor_tmp_t, nova_console_tmp_t, nova_direct_tmp_t, nova_network_tmp_t, nova_objectstore_tmp_t, nova_scheduler_tmp_t, nova_vncproxy_tmp_t, nova_volume_tmp_t, ntop_tmp_t, ntpd_tmp_t, nut_upsd_tmp_t, nut_upsdrvctl_tmp_t, nut_upsmon_tmp_t, nx_server_tmp_t, openshift_cgroup_read_tmp_t, openshift_cron_tmp_t, openshift_initrc_tmp_t, openshift_tmp_t, openvpn_tmp_t, openvswitch_tmp_t, openwsman_tmp_t, pam_timestamp_tmp_t, passenger_tmp_t, passwd_file_t, pcp_tmp_t, pegasus_openlmi_storage_tmp_t, pegasus_tmp_t, piranha_web_tmp_t, pkcsslotd_tmp_t, pki_tomcat_tmp_t, podsleuth_tmp_t, policykit_tmp_t, portmap_tmp_t, postfix_bounce_tmp_t, postfix_cleanup_tmp_t, postfix_local_tmp_t, postfix_map_tmp_t, postfix_pickup_tmp_t, postfix_pipe_tmp_t, postfix_qmgr_tmp_t, postfix_smtp_tmp_t, postfix_smtpd_tmp_t, postfix_virtual_tmp_t, postgresql_tmp_t, pppd_tmp_t, prelink_exec_t, prelink_tmp_t, prelude_lml_tmp_t, proc_t, procmail_tmp_t, psad_tmp_t, puppet_tmp_t, puppetmaster_tmp_t, qpidd_tmp_t, racoon_tmp_t, realmd_tmp_t, rhev_agentd_tmp_t, rhsmcertd_tmp_t, ricci_tmp_t, rlogind_tmp_t, rpm_script_tmp_t, rpm_tmp_t, rsync_tmp_t, rtas_errd_tmp_t, samba_etc_t, samba_net_tmp_t, samba_var_t, sblim_tmp_t, secadm_sudo_tmp_t, sectool_tmp_t, selinux_munin_plugin_tmp_t, semanage_tmp_t, sendmail_tmp_t, services_munin_plugin_tmp_t, session_dbusd_tmp_t, sge_tmp_t, shell_exec_t, shorewall_tmp_t, slapd_cert_t, slapd_tmp_t, smbd_tmp_t, smoltclient_tmp_t, smsd_tmp_t, snort_tmp_t, sosreport_tmp_t, soundd_tmp_t, spamc_tmp_t, spamd_tmp_t, speech-dispatcher_tmp_t, squid_tmp_t, squirrelmail_spool_t, src_t, ssh_agent_tmp_t, ssh_keygen_tmp_t, sssd_public_t, sssd_var_lib_t, staff_sudo_tmp_t, stapserver_tmp_t, stunnel_tmp_t, svirt_tmp_t, svnserve_tmp_t, swat_tmp_t, swift_tmp_t, sysadm_passwd_tmp_t, sysadm_sudo_tmp_t, sysfs_t, syslogd_tmp_t, system_conf_t, system_cronjob_tmp_t, system_db_t, system_dbusd_tmp_t, system_mail_tmp_t, system_munin_plugin_tmp_t, tcpd_tmp_t, telepathy_gabble_tmp_t, telepathy_idle_tmp_t, telepathy_logger_tmp_t, telepathy_mission_control_tmp_t, telepathy_msn_tmp_t, telepathy_salut_tmp_t, telepathy_sofiasip_tmp_t, telepathy_stream_engine_tmp_t, telepathy_sunshine_tmp_t, telnetd_tmp_t, tetex_data_t, textrel_shlib_t, tgtd_tmp_t, thumb_tmp_t, tmp_t, tomcat_tmp_t, tuned_tmp_t, tvtime_tmp_t, udev_tmp_t, uml_tmp_t, unconfined_munin_plugin_tmp_t, update_modules_tmp_t, usbmuxd_exec_t, usbmuxd_var_lib_t, usbmuxd_var_run_t, user_cron_spool_t, user_fonts_t, user_mail_tmp_t, user_tmp_t, usr_t, uucpd_tmp_t, var_spool_t, varnishd_tmp_t, virt_qemu_ga_tmp_t, virt_tmp_t, vmtools_tmp_t, vmware_host_tmp_t, vmware_tmp_t, vpnc_tmp_t, webadm_tmp_t, webalizer_tmp_t, wireshark_tmp_t, xauth_tmp_t, xdm_tmp_t, xend_tmp_t, xenstored_tmp_t, ypbind_tmp_t, ypserv_tmp_t, zabbix_tmp_t, zarafa_deliver_tmp_t, zarafa_indexer_tmp_t, zarafa_server_tmp_t, zarafa_var_lib_t, zebra_tmp_t. Then execute: restorecon -v '$FIX_TARGET_PATH' ***** Plugin catchall (17.1 confidence) suggests ************************** If you believe that usbmuxd should be allowed read access on the file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep usbmuxd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:usbmuxd_t:s0 Target Context system_u:object_r:var_lib_t:s0 Target Objects [ file ] Source usbmuxd Source Path /usr/sbin/usbmuxd Port <Unknown> Host (removed) Source RPM Packages usbmuxd-1.0.9-0.4.c24463e.fc20.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-183.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux hostname.example.com 3.16.2-201.fc20.x86_64 #1 SMP Mon Sep 15 19:57:50 UTC 2014 x86_64 x86_64 Alert Count 10 First Seen 2014-09-19 11:47:43 EDT Last Seen 2014-09-19 11:54:03 EDT Local ID 0002aea4-0971-426a-8bab-625f2c7b0e2c Raw Audit Messages type=AVC msg=audit(1411142043.339:625): avc: denied { read } for pid=17831 comm="usbmuxd" name="a658548b8ba7a922ddd6519d8616e763c14e6463.plist" dev="dm-2" ino=6295139 scontext=system_u:system_r:usbmuxd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1411142043.339:625): arch=x86_64 syscall=open success=no exit=EACCES a0=23dc4a0 a1=0 a2=1b6 a3=0 items=0 ppid=1 pid=17831 auid=4294967295 uid=113 gid=113 euid=113 suid=113 fsuid=113 egid=113 sgid=113 fsgid=113 tty=(none) ses=4294967295 comm=usbmuxd exe=/usr/sbin/usbmuxd subj=system_u:system_r:usbmuxd_t:s0 key=(null) Hash: usbmuxd,usbmuxd_t,var_lib_t,file,read $ rpm -q usbmuxd usbmuxd-1.0.9-0.4.c24463e.fc20.x86_64 The following policy seems to remove the AVC. $ cat RHBZ1135945-usbmuxd-pol2.te module RHBZ1135945-usbmuxd-pol2 1.0; require { type usbmuxd_t; type var_lib_t; class capability { fowner sys_resource fsetid chown }; class unix_stream_socket connectto; class process setrlimit; class dir setattr; class file { read getattr open }; } #============= usbmuxd_t ============== allow usbmuxd_t self:capability { fowner sys_resource fsetid chown }; allow usbmuxd_t self:process setrlimit; allow usbmuxd_t self:unix_stream_socket connectto; allow usbmuxd_t var_lib_t:dir setattr; allow usbmuxd_t var_lib_t:file { read getattr open };
is the file that usbmuxd is trying to read /var/lib/lockdown? restorecon -vf /var/lib/lockdown Or is there some other directory that usbmuxd is using?
Hi Daniel, thanks for taking a look! # restorecon -vf /var/lib/lockdown # # ls -lZ /var/lib | grep lockdown drwxrwsr-x. usbmuxd usbmuxd system_u:object_r:var_lib_t:s0 lockdown But yeah, it's trying to read /var/lib/lockdown: Sep 19 22:59:53 hostname usbmuxd: [22:59:53.786][1] config_get_device_record: failed to read '/var/lib/lockdown/abcdefg.plist': Permission denied # ls -lZ /var/lib/lockdown/abcdefg.plist -rw-r--r--. root root system_u:object_r:var_lib_t:s0 /var/lib/lockdown/abcdefg.plist I'm unable to dig much more this weekend, but I can pick this back up next week.
We need to back port fixes from F21.
Just confirming this bug is not present in the current alpha of F21.
Hi, Matthew could you re-test this issue with the actual selinux-policy package?
(In reply to Lukas Vrabec from comment #7) > Hi, > Matthew could you re-test this issue with the actual selinux-policy package? Very sorry for the long delay. Unfortunately I am no longer running Fedora 20 and am now on Fedora 21 where this issue is not present so I cannot test.