Description of problem: SELinux is preventing usbmuxd from 'read' accesses on the chr_file urandom. ***** Plugin catchall_boolean (47.5 confidence) suggests ****************** If you want to allow authlogin to nsswitch use ldap Then you must tell SELinux about this by enabling the 'authlogin_nsswitch_use_ldap' boolean. You can read 'None' man page for more details. Do setsebool -P authlogin_nsswitch_use_ldap 1 ***** Plugin catchall_boolean (47.5 confidence) suggests ****************** If you want to allow global to ssp Then you must tell SELinux about this by enabling the 'global_ssp' boolean. You can read 'None' man page for more details. Do setsebool -P global_ssp 1 ***** Plugin catchall (6.38 confidence) suggests ************************** If you believe that usbmuxd should be allowed read access on the urandom chr_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep usbmuxd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:usbmuxd_t:s0 Target Context system_u:object_r:urandom_device_t:s0 Target Objects urandom [ chr_file ] Source usbmuxd Source Path usbmuxd Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-76.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.16.1-300.fc21.x86_64 #1 SMP Thu Aug 14 15:06:34 UTC 2014 x86_64 x86_64 Alert Count 1 First Seen 2014-08-28 21:32:17 CEST Last Seen 2014-08-28 21:32:17 CEST Local ID 7245811e-4ea1-4b1f-97b8-c81575fa9adc Raw Audit Messages type=AVC msg=audit(1409254337.318:774): avc: denied { read } for pid=23748 comm="usbmuxd" name="urandom" dev="devtmpfs" ino=1033 scontext=system_u:system_r:usbmuxd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file permissive=0 Hash: usbmuxd,usbmuxd_t,urandom_device_t,chr_file,read Version-Release number of selected component: selinux-policy-3.13.1-76.fc21.noarch Additional info: reporter: libreport-2.2.3 hashmarkername: setroubleshoot kernel: 3.16.1-300.fc21.x86_64 type: libreport
3a052f6386734c686fb2bef3831d52369471975c adds support for this in git.
commit 3a052f6386734c686fb2bef3831d52369471975c Author: Dan Walsh <dwalsh> Date: Fri Aug 29 07:06:15 2014 -0400 Fixes for usbmuxd, addition of /var/lib/lockdown, and allow it to use urand, dontaudit sys_resource https://github.com/selinux-policy/selinux-policy/commit/3a052f6386734c686fb2bef3831d52369471975c
selinux-policy-3.13.1-79.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-79.fc21
Package selinux-policy-3.13.1-79.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-79.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-10624/selinux-policy-3.13.1-79.fc21 then log in and leave karma (feedback).
selinux-policy-3.13.1-79.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.