Bug 1130536 - SELinux is preventing /usr/sbin/usbmuxd from 'read' accesses on the file .
Summary: SELinux is preventing /usr/sbin/usbmuxd from 'read' accesses on the file .
Keywords:
Status: CLOSED INSUFFICIENT_DATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 20
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:b7b162c6e734233119b1bebde1e...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-08-15 13:41 UTC by Matthew Bunt
Modified: 2015-01-02 12:51 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-01-02 12:51:30 UTC


Attachments (Terms of Use)

Description Matthew Bunt 2014-08-15 13:41:29 UTC
Description of problem:
Problem: Plug in iPhone and it doesnt charge and triggers an selinux alert.

Selinux is stopping usbmuxd from having read access on (my iphone?).

If Selinux is set to enforcing this causes my iphone not to charge when plugged in.
If Selinux is set to permissive the phone charges normally.
SELinux is preventing /usr/sbin/usbmuxd from 'read' accesses on the file .

*****  Plugin catchall_labels (83.8 confidence) suggests   *******************

If you want to allow usbmuxd to have read access on the  file
Then you need to change the label on $FIX_TARGET_PATH
Do
# semanage fcontext -a -t FILE_TYPE '$FIX_TARGET_PATH'
where FILE_TYPE is one of the following: NetworkManager_tmp_t, abrt_helper_exec_t, abrt_tmp_t, abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_var_run_t, admin_crontab_tmp_t, afs_cache_t, alsa_tmp_t, amanda_tmp_t, antivirus_tmp_t, apcupsd_tmp_t, apmd_tmp_t, arpwatch_tmp_t, asterisk_tmp_t, auditadm_sudo_tmp_t, automount_tmp_t, awstats_tmp_t, bin_t, bitlbee_tmp_t, bluetooth_helper_tmp_t, bluetooth_tmp_t, boinc_project_tmp_t, boinc_tmp_t, boot_t, bootloader_tmp_t, cardmgr_dev_t, ccs_tmp_t, cdcc_tmp_t, cert_t, chrome_sandbox_tmp_t, cinder_api_tmp_t, cinder_backup_tmp_t, cinder_scheduler_tmp_t, cinder_volume_tmp_t, cloud_init_tmp_t, cluster_tmp_t, cobbler_tmp_t, colord_tmp_t, comsat_tmp_t, condor_master_tmp_t, condor_schedd_tmp_t, condor_startd_tmp_t, couchdb_tmp_t, cpu_online_t, crack_tmp_t, crond_tmp_t, crontab_tmp_t, ctdbd_tmp_t, cups_pdf_tmp_t, cupsd_lpd_tmp_t, cupsd_tmp_t, cvs_tmp_t, cyphesis_tmp_t, cyrus_tmp_t, dbadm_sudo_tmp_t, dbskkd_tmp_t, dcc_client_tmp_t, dcc_dbclean_tmp_t, dccd_tmp_t, dccifd_tmp_t, dccm_tmp_t, ddclient_tmp_t, deltacloudd_tmp_t, devicekit_tmp_t, dhcpc_tmp_t, dhcpd_tmp_t, dirsrv_tmp_t, dirsrvadmin_tmp_t, disk_munin_plugin_tmp_t, dkim_milter_tmp_t, docker_tmp_t, dovecot_auth_tmp_t, dovecot_deliver_tmp_t, dovecot_tmp_t, etc_runtime_t, etc_t, exim_tmp_t, fail2ban_tmp_t, fenced_tmp_t, file_context_t, firewalld_tmp_t, firewallgui_tmp_t, fsadm_tmp_t, fsdaemon_tmp_t, ftpd_tmp_t, ftpdctl_tmp_t, games_tmp_t, gconf_tmp_t, geoclue_tmp_t, getty_tmp_t, gkeyringd_tmp_t, glance_registry_tmp_t, glance_tmp_t, glusterd_tmp_t, gpg_agent_tmp_t, gpg_pinentry_tmp_t, gpm_tmp_t, gssd_tmp_t, hostname_etc_t, httpd_bugzilla_tmp_t, httpd_collectd_script_tmp_t, httpd_mojomojo_tmp_t, httpd_munin_script_tmp_t, httpd_php_tmp_t, httpd_suexec_tmp_t, httpd_tmp_t, httpd_w3c_validator_tmp_t, inetd_child_tmp_t, inetd_tmp_t, init_tmp_t, initrc_tmp_t, ipsec_tmp_t, iptables_tmp_t, iscsi_tmp_t, kadmind_tmp_t, kdumpctl_tmp_t, kdumpgui_tmp_t, keystone_tmp_t, kismet_tmp_t, kismet_tmpfs_t, klogd_tmp_t, krb5_conf_t, krb5_host_rcache_t, krb5kdc_tmp_t, ktalkd_tmp_t, l2tpd_tmp_t, ld_so_cache_t, ld_so_t, ldconfig_tmp_t, lib_t, livecd_tmp_t, locale_t, logrotate_mail_tmp_t, logrotate_tmp_t, logwatch_mail_tmp_t, logwatch_tmp_t, lpd_tmp_t, lpr_tmp_t, lsassd_tmp_t, lsmd_plugin_tmp_t, lvm_tmp_t, machineid_t, mail_munin_plugin_tmp_t, mailman_cgi_tmp_t, mailman_mail_tmp_t, mailman_queue_tmp_t, man_cache_t, man_t, mandb_cache_t, mdadm_tmp_t, mock_tmp_t, mongod_tmp_t, mount_tmp_t, mozilla_plugin_tmp_t, mozilla_tmp_t, mpd_tmp_t, mscan_tmp_t, munin_tmp_t, mysqld_tmp_t, nagios_eventhandler_plugin_tmp_t, nagios_openshift_plugin_tmp_t, nagios_system_plugin_tmp_t, nagios_tmp_t, named_tmp_t, net_conf_t, netutils_tmp_t, neutron_tmp_t, nova_ajax_tmp_t, nova_api_tmp_t, nova_cert_tmp_t, nova_compute_tmp_t, nova_conductor_tmp_t, nova_console_tmp_t, nova_direct_tmp_t, nova_network_tmp_t, nova_objectstore_tmp_t, nova_scheduler_tmp_t, nova_vncproxy_tmp_t, nova_volume_tmp_t, ntop_tmp_t, ntpd_tmp_t, nx_server_tmp_t, openshift_cgroup_read_tmp_t, openshift_cron_tmp_t, openshift_initrc_tmp_t, openshift_tmp_t, openvpn_tmp_t, openvswitch_tmp_t, openwsman_tmp_t, pam_timestamp_tmp_t, passenger_tmp_t, passwd_file_t, pcp_tmp_t, pegasus_openlmi_storage_tmp_t, pegasus_tmp_t, piranha_web_tmp_t, pkcsslotd_tmp_t, pki_tomcat_tmp_t, podsleuth_tmp_t, policykit_tmp_t, portmap_tmp_t, postfix_bounce_tmp_t, postfix_cleanup_tmp_t, postfix_local_tmp_t, postfix_map_tmp_t, postfix_pickup_tmp_t, postfix_pipe_tmp_t, postfix_qmgr_tmp_t, postfix_smtp_tmp_t, postfix_smtpd_tmp_t, postfix_virtual_tmp_t, postgresql_tmp_t, pppd_tmp_t, prelink_exec_t, prelink_tmp_t, prelude_lml_tmp_t, proc_t, procmail_tmp_t, psad_tmp_t, puppet_tmp_t, puppetmaster_tmp_t, qpidd_tmp_t, racoon_tmp_t, realmd_tmp_t, rhev_agentd_tmp_t, rhsmcertd_tmp_t, ricci_tmp_t, rlogind_tmp_t, rpm_script_tmp_t, rpm_tmp_t, rsync_tmp_t, rtas_errd_tmp_t, samba_etc_t, samba_net_tmp_t, samba_var_t, sblim_tmp_t, secadm_sudo_tmp_t, sectool_tmp_t, selinux_munin_plugin_tmp_t, semanage_tmp_t, sendmail_tmp_t, services_munin_plugin_tmp_t, session_dbusd_tmp_t, sge_tmp_t, shell_exec_t, shorewall_tmp_t, slapd_tmp_t, smbd_tmp_t, smoltclient_tmp_t, smsd_tmp_t, snort_tmp_t, sosreport_tmp_t, soundd_tmp_t, spamc_tmp_t, spamd_tmp_t, speech-dispatcher_tmp_t, squid_tmp_t, squirrelmail_spool_t, src_t, ssh_agent_tmp_t, ssh_keygen_tmp_t, sssd_public_t, sssd_var_lib_t, staff_sudo_tmp_t, stapserver_tmp_t, stunnel_tmp_t, svirt_tmp_t, svnserve_tmp_t, swat_tmp_t, swift_tmp_t, sysadm_passwd_tmp_t, sysadm_sudo_tmp_t, sysfs_t, syslogd_tmp_t, system_conf_t, system_cronjob_tmp_t, system_db_t, system_dbusd_tmp_t, system_mail_tmp_t, system_munin_plugin_tmp_t, tcpd_tmp_t, telepathy_gabble_tmp_t, telepathy_idle_tmp_t, telepathy_logger_tmp_t, telepathy_mission_control_tmp_t, telepathy_msn_tmp_t, telepathy_salut_tmp_t, telepathy_sofiasip_tmp_t, telepathy_stream_engine_tmp_t, telepathy_sunshine_tmp_t, telnetd_tmp_t, tetex_data_t, textrel_shlib_t, tgtd_tmp_t, thumb_tmp_t, tmp_t, tomcat_tmp_t, tuned_tmp_t, tvtime_tmp_t, udev_tmp_t, uml_tmp_t, unconfined_munin_plugin_tmp_t, update_modules_tmp_t, usbmuxd_exec_t, usbmuxd_var_run_t, user_cron_spool_t, user_fonts_t, user_mail_tmp_t, user_tmp_t, usr_t, uucpd_tmp_t, var_spool_t, varnishd_tmp_t, virt_qemu_ga_tmp_t, virt_tmp_t, vmtools_tmp_t, vmware_host_tmp_t, vmware_tmp_t, vpnc_tmp_t, webadm_tmp_t, webalizer_tmp_t, wireshark_tmp_t, xauth_tmp_t, xdm_tmp_t, xend_tmp_t, xenstored_tmp_t, ypbind_tmp_t, ypserv_tmp_t, zabbix_tmp_t, zarafa_deliver_tmp_t, zarafa_indexer_tmp_t, zarafa_server_tmp_t, zarafa_var_lib_t, zebra_tmp_t. 
Then execute: 
restorecon -v '$FIX_TARGET_PATH'


*****  Plugin catchall (17.1 confidence) suggests   **************************

If you believe that usbmuxd should be allowed read access on the  file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep usbmuxd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:usbmuxd_t:s0
Target Context                system_u:object_r:var_lib_t:s0
Target Objects                 [ file ]
Source                        usbmuxd
Source Path                   /usr/sbin/usbmuxd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           usbmuxd-1.0.9-0.4.c24463e.fc20.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-179.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 3.15.9-200.fc20.x86_64 #1 SMP Sat
                              Aug 9 09:02:55 UTC 2014 x86_64 x86_64
Alert Count                   5
First Seen                    2014-08-15 06:34:01 PDT
Last Seen                     2014-08-15 06:34:53 PDT
Local ID                      8264fa7e-d302-41c0-8fd7-0a84ce56f31d

Raw Audit Messages
type=AVC msg=audit(1408109693.832:419): avc:  denied  { read } for  pid=754 comm="usbmuxd" name="SystemConfiguration.plist" dev="sda2" ino=1058731 scontext=system_u:system_r:usbmuxd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file


type=AVC msg=audit(1408109693.832:419): avc:  denied  { open } for  pid=754 comm="usbmuxd" path="/var/lib/lockdown/SystemConfiguration.plist" dev="sda2" ino=1058731 scontext=system_u:system_r:usbmuxd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file


type=SYSCALL msg=audit(1408109693.832:419): arch=x86_64 syscall=open success=yes exit=ESPIPE a0=bafb80 a1=0 a2=1b6 a3=0 items=0 ppid=1 pid=754 auid=4294967295 uid=113 gid=113 euid=113 suid=113 fsuid=113 egid=113 sgid=113 fsgid=113 tty=(none) ses=4294967295 comm=usbmuxd exe=/usr/sbin/usbmuxd subj=system_u:system_r:usbmuxd_t:s0 key=(null)

Hash: usbmuxd,usbmuxd_t,var_lib_t,file,read

Additional info:
reporter:       libreport-2.2.3
hashmarkername: setroubleshoot
kernel:         3.15.9-200.fc20.x86_64
type:           libreport

Comment 1 Lukas Vrabec 2014-09-05 08:32:46 UTC
This is fixed in current release.

https://github.com/selinux-policy/selinux-policy/commit/3069587b0df9c0dcd32079b6becaeb20f0a68d72

Comment 2 Christopher Wawak 2014-09-19 16:02:27 UTC
Still running into this problem, despite upgrading selinux-policy today, and rebooting after the upgrade.

SELinux is preventing /usr/sbin/usbmuxd from read access on the file .

*****  Plugin catchall_labels (83.8 confidence) suggests   *******************

If you want to allow usbmuxd to have read access on the  file
Then you need to change the label on $FIX_TARGET_PATH
Do
# semanage fcontext -a -t FILE_TYPE '$FIX_TARGET_PATH'
where FILE_TYPE is one of the following: NetworkManager_tmp_t, abrt_helper_exec_t, abrt_tmp_t, abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_var_run_t, admin_crontab_tmp_t, afs_cache_t, alsa_tmp_t, amanda_tmp_t, antivirus_tmp_t, apcupsd_tmp_t, apmd_tmp_t, arpwatch_tmp_t, asterisk_tmp_t, auditadm_sudo_tmp_t, automount_tmp_t, awstats_tmp_t, bin_t, bitlbee_tmp_t, bluetooth_helper_tmp_t, bluetooth_tmp_t, boinc_project_tmp_t, boinc_tmp_t, boot_t, bootloader_tmp_t, cardmgr_dev_t, ccs_tmp_t, cdcc_tmp_t, cert_t, chrome_sandbox_tmp_t, cinder_api_tmp_t, cinder_backup_tmp_t, cinder_scheduler_tmp_t, cinder_volume_tmp_t, cloud_init_tmp_t, cluster_tmp_t, cobbler_tmp_t, colord_tmp_t, comsat_tmp_t, condor_master_tmp_t, condor_schedd_tmp_t, condor_startd_tmp_t, couchdb_tmp_t, cpu_online_t, crack_tmp_t, crond_tmp_t, crontab_tmp_t, ctdbd_tmp_t, cups_pdf_tmp_t, cupsd_lpd_tmp_t, cupsd_tmp_t, cvs_tmp_t, cyphesis_tmp_t, cyrus_tmp_t, dbadm_sudo_tmp_t, dbskkd_tmp_t, dcc_client_tmp_t, dcc_dbclean_tmp_t, dccd_tmp_t, dccifd_tmp_t, dccm_tmp_t, ddclient_tmp_t, deltacloudd_tmp_t, devicekit_tmp_t, dhcpc_tmp_t, dhcpd_tmp_t, dirsrv_tmp_t, dirsrvadmin_tmp_t, disk_munin_plugin_tmp_t, dkim_milter_tmp_t, docker_tmp_t, dovecot_auth_tmp_t, dovecot_deliver_tmp_t, dovecot_tmp_t, etc_runtime_t, etc_t, exim_tmp_t, fail2ban_tmp_t, fenced_tmp_t, file_context_t, firewalld_tmp_t, firewallgui_tmp_t, fsadm_tmp_t, fsdaemon_tmp_t, ftpd_tmp_t, ftpdctl_tmp_t, games_tmp_t, gconf_tmp_t, geoclue_tmp_t, getty_tmp_t, gkeyringd_tmp_t, glance_registry_tmp_t, glance_tmp_t, glusterd_tmp_t, gpg_agent_tmp_t, gpg_pinentry_tmp_t, gpm_tmp_t, gssd_tmp_t, hostname_etc_t, httpd_bugzilla_tmp_t, httpd_collectd_script_tmp_t, httpd_mojomojo_tmp_t, httpd_munin_script_tmp_t, httpd_php_tmp_t, httpd_suexec_tmp_t, httpd_tmp_t, httpd_w3c_validator_tmp_t, inetd_child_tmp_t, inetd_tmp_t, init_tmp_t, initrc_tmp_t, ipsec_tmp_t, iptables_tmp_t, iscsi_tmp_t, kadmind_tmp_t, kdumpctl_tmp_t, kdumpgui_tmp_t, keystone_tmp_t, kismet_tmp_t, kismet_tmpfs_t, klogd_tmp_t, krb5_conf_t, krb5_host_rcache_t, krb5kdc_tmp_t, ktalkd_tmp_t, l2tpd_tmp_t, ld_so_cache_t, ld_so_t, ldconfig_tmp_t, lib_t, livecd_tmp_t, locale_t, logrotate_mail_tmp_t, logrotate_tmp_t, logwatch_mail_tmp_t, logwatch_tmp_t, lpd_tmp_t, lpr_tmp_t, lsassd_tmp_t, lsmd_plugin_tmp_t, lvm_tmp_t, machineid_t, mail_munin_plugin_tmp_t, mailman_cgi_tmp_t, mailman_mail_tmp_t, mailman_queue_tmp_t, man_cache_t, man_t, mandb_cache_t, mdadm_tmp_t, mock_tmp_t, mongod_tmp_t, mount_tmp_t, mozilla_plugin_tmp_t, mozilla_tmp_t, mpd_tmp_t, mscan_tmp_t, munin_tmp_t, mysqld_tmp_t, nagios_eventhandler_plugin_tmp_t, nagios_openshift_plugin_tmp_t, nagios_system_plugin_tmp_t, nagios_tmp_t, named_tmp_t, net_conf_t, netutils_tmp_t, neutron_tmp_t, nova_ajax_tmp_t, nova_api_tmp_t, nova_cert_tmp_t, nova_compute_tmp_t, nova_conductor_tmp_t, nova_console_tmp_t, nova_direct_tmp_t, nova_network_tmp_t, nova_objectstore_tmp_t, nova_scheduler_tmp_t, nova_vncproxy_tmp_t, nova_volume_tmp_t, ntop_tmp_t, ntpd_tmp_t, nut_upsd_tmp_t, nut_upsdrvctl_tmp_t, nut_upsmon_tmp_t, nx_server_tmp_t, openshift_cgroup_read_tmp_t, openshift_cron_tmp_t, openshift_initrc_tmp_t, openshift_tmp_t, openvpn_tmp_t, openvswitch_tmp_t, openwsman_tmp_t, pam_timestamp_tmp_t, passenger_tmp_t, passwd_file_t, pcp_tmp_t, pegasus_openlmi_storage_tmp_t, pegasus_tmp_t, piranha_web_tmp_t, pkcsslotd_tmp_t, pki_tomcat_tmp_t, podsleuth_tmp_t, policykit_tmp_t, portmap_tmp_t, postfix_bounce_tmp_t, postfix_cleanup_tmp_t, postfix_local_tmp_t, postfix_map_tmp_t, postfix_pickup_tmp_t, postfix_pipe_tmp_t, postfix_qmgr_tmp_t, postfix_smtp_tmp_t, postfix_smtpd_tmp_t, postfix_virtual_tmp_t, postgresql_tmp_t, pppd_tmp_t, prelink_exec_t, prelink_tmp_t, prelude_lml_tmp_t, proc_t, procmail_tmp_t, psad_tmp_t, puppet_tmp_t, puppetmaster_tmp_t, qpidd_tmp_t, racoon_tmp_t, realmd_tmp_t, rhev_agentd_tmp_t, rhsmcertd_tmp_t, ricci_tmp_t, rlogind_tmp_t, rpm_script_tmp_t, rpm_tmp_t, rsync_tmp_t, rtas_errd_tmp_t, samba_etc_t, samba_net_tmp_t, samba_var_t, sblim_tmp_t, secadm_sudo_tmp_t, sectool_tmp_t, selinux_munin_plugin_tmp_t, semanage_tmp_t, sendmail_tmp_t, services_munin_plugin_tmp_t, session_dbusd_tmp_t, sge_tmp_t, shell_exec_t, shorewall_tmp_t, slapd_cert_t, slapd_tmp_t, smbd_tmp_t, smoltclient_tmp_t, smsd_tmp_t, snort_tmp_t, sosreport_tmp_t, soundd_tmp_t, spamc_tmp_t, spamd_tmp_t, speech-dispatcher_tmp_t, squid_tmp_t, squirrelmail_spool_t, src_t, ssh_agent_tmp_t, ssh_keygen_tmp_t, sssd_public_t, sssd_var_lib_t, staff_sudo_tmp_t, stapserver_tmp_t, stunnel_tmp_t, svirt_tmp_t, svnserve_tmp_t, swat_tmp_t, swift_tmp_t, sysadm_passwd_tmp_t, sysadm_sudo_tmp_t, sysfs_t, syslogd_tmp_t, system_conf_t, system_cronjob_tmp_t, system_db_t, system_dbusd_tmp_t, system_mail_tmp_t, system_munin_plugin_tmp_t, tcpd_tmp_t, telepathy_gabble_tmp_t, telepathy_idle_tmp_t, telepathy_logger_tmp_t, telepathy_mission_control_tmp_t, telepathy_msn_tmp_t, telepathy_salut_tmp_t, telepathy_sofiasip_tmp_t, telepathy_stream_engine_tmp_t, telepathy_sunshine_tmp_t, telnetd_tmp_t, tetex_data_t, textrel_shlib_t, tgtd_tmp_t, thumb_tmp_t, tmp_t, tomcat_tmp_t, tuned_tmp_t, tvtime_tmp_t, udev_tmp_t, uml_tmp_t, unconfined_munin_plugin_tmp_t, update_modules_tmp_t, usbmuxd_exec_t, usbmuxd_var_lib_t, usbmuxd_var_run_t, user_cron_spool_t, user_fonts_t, user_mail_tmp_t, user_tmp_t, usr_t, uucpd_tmp_t, var_spool_t, varnishd_tmp_t, virt_qemu_ga_tmp_t, virt_tmp_t, vmtools_tmp_t, vmware_host_tmp_t, vmware_tmp_t, vpnc_tmp_t, webadm_tmp_t, webalizer_tmp_t, wireshark_tmp_t, xauth_tmp_t, xdm_tmp_t, xend_tmp_t, xenstored_tmp_t, ypbind_tmp_t, ypserv_tmp_t, zabbix_tmp_t, zarafa_deliver_tmp_t, zarafa_indexer_tmp_t, zarafa_server_tmp_t, zarafa_var_lib_t, zebra_tmp_t. 
Then execute: 
restorecon -v '$FIX_TARGET_PATH'


*****  Plugin catchall (17.1 confidence) suggests   **************************

If you believe that usbmuxd should be allowed read access on the  file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep usbmuxd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:usbmuxd_t:s0
Target Context                system_u:object_r:var_lib_t:s0
Target Objects                 [ file ]
Source                        usbmuxd
Source Path                   /usr/sbin/usbmuxd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           usbmuxd-1.0.9-0.4.c24463e.fc20.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-183.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux hostname.example.com
                              3.16.2-201.fc20.x86_64 #1 SMP Mon Sep 15 19:57:50
                              UTC 2014 x86_64 x86_64
Alert Count                   10
First Seen                    2014-09-19 11:47:43 EDT
Last Seen                     2014-09-19 11:54:03 EDT
Local ID                      0002aea4-0971-426a-8bab-625f2c7b0e2c

Raw Audit Messages
type=AVC msg=audit(1411142043.339:625): avc:  denied  { read } for  pid=17831 comm="usbmuxd" name="a658548b8ba7a922ddd6519d8616e763c14e6463.plist" dev="dm-2" ino=6295139 scontext=system_u:system_r:usbmuxd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0


type=SYSCALL msg=audit(1411142043.339:625): arch=x86_64 syscall=open success=no exit=EACCES a0=23dc4a0 a1=0 a2=1b6 a3=0 items=0 ppid=1 pid=17831 auid=4294967295 uid=113 gid=113 euid=113 suid=113 fsuid=113 egid=113 sgid=113 fsgid=113 tty=(none) ses=4294967295 comm=usbmuxd exe=/usr/sbin/usbmuxd subj=system_u:system_r:usbmuxd_t:s0 key=(null)

Hash: usbmuxd,usbmuxd_t,var_lib_t,file,read

$  rpm -q usbmuxd
usbmuxd-1.0.9-0.4.c24463e.fc20.x86_64

The following policy seems to remove the AVC.

$ cat RHBZ1135945-usbmuxd-pol2.te 

module RHBZ1135945-usbmuxd-pol2 1.0;

require {
	type usbmuxd_t;
	type var_lib_t;
	class capability { fowner sys_resource fsetid chown };
	class unix_stream_socket connectto;
	class process setrlimit;
	class dir setattr;
	class file { read getattr open };
}

#============= usbmuxd_t ==============
allow usbmuxd_t self:capability { fowner sys_resource fsetid chown };
allow usbmuxd_t self:process setrlimit;
allow usbmuxd_t self:unix_stream_socket connectto;
allow usbmuxd_t var_lib_t:dir setattr;
allow usbmuxd_t var_lib_t:file { read getattr open };

Comment 3 Daniel Walsh 2014-09-19 20:57:57 UTC
is the file that usbmuxd is trying to read /var/lib/lockdown?

restorecon -vf /var/lib/lockdown

Or is there some other directory that usbmuxd is using?

Comment 4 Christopher Wawak 2014-09-20 03:04:17 UTC
Hi Daniel, thanks for taking a look!

# restorecon -vf /var/lib/lockdown
# 

# ls -lZ /var/lib | grep lockdown
drwxrwsr-x. usbmuxd  usbmuxd system_u:object_r:var_lib_t:s0   lockdown

But yeah, it's trying to read /var/lib/lockdown:

Sep 19 22:59:53 hostname usbmuxd: [22:59:53.786][1] config_get_device_record: failed to read '/var/lib/lockdown/abcdefg.plist': Permission denied

# ls -lZ /var/lib/lockdown/abcdefg.plist
-rw-r--r--. root root system_u:object_r:var_lib_t:s0   /var/lib/lockdown/abcdefg.plist

I'm unable to dig much more this weekend, but I can pick this back up next week.

Comment 5 Miroslav Grepl 2014-10-13 14:23:04 UTC
We need to back port fixes from F21.

Comment 6 Matthew Bunt 2014-10-14 15:44:43 UTC
Just confirming this bug is not present in the current alpha of F21.

Comment 7 Lukas Vrabec 2014-11-26 09:56:51 UTC
Hi, 
Matthew could you re-test this issue with the actual selinux-policy package?

Comment 8 Matthew Bunt 2014-12-31 01:45:30 UTC
(In reply to Lukas Vrabec from comment #7)
> Hi, 
> Matthew could you re-test this issue with the actual selinux-policy package?

Very sorry for the long delay. Unfortunately I am no longer running Fedora 20 and am now on Fedora 21 where this issue is not present so I cannot test.


Note You need to log in before you can comment on or make changes to this bug.