When I plugin my iPhone I get a bunch of usbmuxd-related selinux alerts: Additional Information: Source Context system_u:system_r:usbmuxd_t:s0 Target Context system_u:object_r:var_lib_t:s0 Target Objects /var/lib/lockdown/SystemConfiguration.plist [ file ] Source usbmuxd Source Path /usr/sbin/usbmuxd Port <Unknown> Host edamame.cdg.redhat.com Source RPM Packages usbmuxd-1.0.9-0.6.c24463e.fc21.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-84.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name edamame.cdg.redhat.com Platform Linux edamame.cdg.redhat.com 3.16.3-200.fc20.x86_64 #1 SMP Wed Sep 17 22:34:21 UTC 2014 x86_64 x86_64 Alert Count 7 First Seen 2014-10-09 09:38:36 CEST Last Seen 2014-10-09 09:39:39 CEST Local ID df402cb0-76fd-4f3d-af4d-a5b0f8bb5e84 Raw Audit Messages type=AVC msg=audit(1412840379.91:602): avc: denied { write } for pid=9742 comm="usbmuxd" name="SystemConfiguration.plist" dev="dm-2" ino=1217375 scontext=system_u:system_r:usbmuxd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1412840379.91:602): arch=x86_64 syscall=open success=no exit=EACCES a0=7de820 a1=241 a2=1b6 a3=241 items=0 ppid=1 pid=9742 auid=4294967295 uid=113 gid=113 euid=113 suid=113 fsuid=113 egid=113 sgid=113 fsgid=113 tty=(none) ses=4294967295 comm=usbmuxd exe=/usr/sbin/usbmuxd subj=system_u:system_r:usbmuxd_t:s0 key=(null) Hash: usbmuxd,usbmuxd_t,var_lib_t,file,write Additional Information: Source Context system_u:system_r:usbmuxd_t:s0 Target Context system_u:object_r:var_lib_t:s0 Target Objects /var/lib/lockdown/SystemConfiguration.plist [ file ] Source usbmuxd Source Path /usr/sbin/usbmuxd Port <Unknown> Host edamame.cdg.redhat.com Source RPM Packages usbmuxd-1.0.9-0.6.c24463e.fc21.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-84.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name edamame.cdg.redhat.com Platform Linux edamame.cdg.redhat.com 3.16.3-200.fc20.x86_64 #1 SMP Wed Sep 17 22:34:21 UTC 2014 x86_64 x86_64 Alert Count 26 First Seen 2014-10-03 11:08:33 CEST Last Seen 2014-10-09 09:39:39 CEST Local ID cce68f42-44f1-454d-bd51-12c1fd5e01fa Raw Audit Messages type=AVC msg=audit(1412840379.91:601): avc: denied { read } for pid=9742 comm="usbmuxd" name="SystemConfiguration.plist" dev="dm-2" ino=1217375 scontext=system_u:system_r:usbmuxd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1412840379.91:601): arch=x86_64 syscall=open success=no exit=EACCES a0=7de820 a1=0 a2=1b6 a3=241 items=0 ppid=1 pid=9742 auid=4294967295 uid=113 gid=113 euid=113 suid=113 fsuid=113 egid=113 sgid=113 fsgid=113 tty=(none) ses=4294967295 comm=usbmuxd exe=/usr/sbin/usbmuxd subj=system_u:system_r:usbmuxd_t:s0 key=(null) Hash: usbmuxd,usbmuxd_t,var_lib_t,file,read Additional Information: Source Context system_u:system_r:usbmuxd_t:s0 Target Context system_u:object_r:var_lib_t:s0 Target Objects /var/lib/lockdown/3b022cb97f40d986007096de3029a3dc cab4b3fa.plist [ file ] Source usbmuxd Source Path /usr/sbin/usbmuxd Port <Unknown> Host edamame.cdg.redhat.com Source RPM Packages usbmuxd-1.0.9-0.6.c24463e.fc21.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-84.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name edamame.cdg.redhat.com Platform Linux edamame.cdg.redhat.com 3.16.3-200.fc20.x86_64 #1 SMP Wed Sep 17 22:34:21 UTC 2014 x86_64 x86_64 Alert Count 15 First Seen 2014-10-03 11:08:33 CEST Last Seen 2014-10-09 09:39:29 CEST Local ID 1ac758fa-be42-4ae7-8ff1-ac0b3f3ded82 Raw Audit Messages type=AVC msg=audit(1412840369.25:590): avc: denied { getattr } for pid=9749 comm="usbmuxd" path="/var/lib/lockdown/3b022cb97f40d986007096de3029a3dccab4b3fa.plist" dev="dm-2" ino=1217376 scontext=system_u:system_r:usbmuxd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1412840369.25:590): arch=x86_64 syscall=stat success=no exit=EACCES a0=7fc9a4001d50 a1=7fc9b35b3cb0 a2=7fc9b35b3cb0 a3=50 items=0 ppid=1 pid=9749 auid=4294967295 uid=113 gid=113 euid=113 suid=113 fsuid=113 egid=113 sgid=113 fsgid=113 tty=(none) ses=4294967295 comm=usbmuxd exe=/usr/sbin/usbmuxd subj=system_u:system_r:usbmuxd_t:s0 key=(null) Hash: usbmuxd,usbmuxd_t,var_lib_t,file,getattr Additional Information: Source Context system_u:system_r:usbmuxd_t:s0 Target Context system_u:object_r:var_lib_t:s0 Target Objects /var/lib/lockdown/3b022cb97f40d986007096de3029a3dc cab4b3fa.plist [ file ] Source usbmuxd Source Path /usr/sbin/usbmuxd Port <Unknown> Host edamame.cdg.redhat.com Source RPM Packages usbmuxd-1.0.9-0.6.c24463e.fc21.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-84.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name edamame.cdg.redhat.com Platform Linux edamame.cdg.redhat.com 3.16.3-200.fc20.x86_64 #1 SMP Wed Sep 17 22:34:21 UTC 2014 x86_64 x86_64 Alert Count 15 First Seen 2014-10-03 11:08:33 CEST Last Seen 2014-10-09 09:39:29 CEST Local ID 1ac758fa-be42-4ae7-8ff1-ac0b3f3ded82 Raw Audit Messages type=AVC msg=audit(1412840369.25:590): avc: denied { getattr } for pid=9749 comm="usbmuxd" path="/var/lib/lockdown/3b022cb97f40d986007096de3029a3dccab4b3fa.plist" dev="dm-2" ino=1217376 scontext=system_u:system_r:usbmuxd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1412840369.25:590): arch=x86_64 syscall=stat success=no exit=EACCES a0=7fc9a4001d50 a1=7fc9b35b3cb0 a2=7fc9b35b3cb0 a3=50 items=0 ppid=1 pid=9749 auid=4294967295 uid=113 gid=113 euid=113 suid=113 fsuid=113 egid=113 sgid=113 fsgid=113 tty=(none) ses=4294967295 comm=usbmuxd exe=/usr/sbin/usbmuxd subj=system_u:system_r:usbmuxd_t:s0 key=(null) Hash: usbmuxd,usbmuxd_t,var_lib_t,file,getattr Additional Information: Source Context system_u:system_r:usbmuxd_t:s0 Target Context system_u:object_r:var_lib_t:s0 Target Objects /var/lib/lockdown/3b022cb97f40d986007096de3029a3dc cab4b3fa.plist [ file ] Source usbmuxd Source Path /usr/sbin/usbmuxd Port <Unknown> Host edamame.cdg.redhat.com Source RPM Packages usbmuxd-1.0.9-0.6.c24463e.fc21.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-84.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name edamame.cdg.redhat.com Platform Linux edamame.cdg.redhat.com 3.16.3-200.fc20.x86_64 #1 SMP Wed Sep 17 22:34:21 UTC 2014 x86_64 x86_64 Alert Count 1 First Seen 2014-10-09 09:39:25 CEST Last Seen 2014-10-09 09:39:25 CEST Local ID 542b7450-75be-4293-a74f-d30b7816316f Raw Audit Messages type=AVC msg=audit(1412840365.31:585): avc: denied { unlink } for pid=9280 comm="usbmuxd" name="3b022cb97f40d986007096de3029a3dccab4b3fa.plist" dev="dm-2" ino=1217376 scontext=system_u:system_r:usbmuxd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1412840365.31:585): arch=x86_64 syscall=unlink success=no exit=EACCES a0=203a0b0 a1=0 a2=28 a3=51 items=0 ppid=1 pid=9280 auid=4294967295 uid=113 gid=113 euid=113 suid=113 fsuid=113 egid=113 sgid=113 fsgid=113 tty=(none) ses=4294967295 comm=usbmuxd exe=/usr/sbin/usbmuxd subj=system_u:system_r:usbmuxd_t:s0 key=(null) Hash: usbmuxd,usbmuxd_t,var_lib_t,file,unlink
usbmuxd version is usbmuxd-1.0.9-0.6.c24463e.fc21.x86_64
Things seem better after chcon system_u:system_r:usbmuxd_t:s0 /var/lib/lockdown chcon system_u:system_r:usbmuxd_t:s0 /var/lib/lockdown/* (I had tried a restorecon on this dir first but this did not change anything) /var/lib/lockdown is not owned by any package, I don't know if that's intentional.
Actually even after doing these chcon, I still got this when unlocking my screen: Additional Information: Source Context system_u:system_r:usbmuxd_t:s0 Target Context system_u:system_r:usbmuxd_t:s0 Target Objects /var/lib/lockdown [ dir ] Source usbmuxd Source Path /usr/sbin/usbmuxd Port <Unknown> Host edamame.cdg.redhat.com Source RPM Packages usbmuxd-1.0.9-0.6.c24463e.fc21.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-85.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name edamame.cdg.redhat.com Platform Linux edamame.cdg.redhat.com 3.16.3-200.fc20.x86_64 #1 SMP Wed Sep 17 22:34:21 UTC 2014 x86_64 x86_64 Alert Count 5 First Seen 2014-10-09 10:32:08 CEST Last Seen 2014-10-09 11:59:24 CEST Local ID db8d4441-d19f-4220-8b37-2287e3b95f91 Raw Audit Messages type=AVC msg=audit(1412848764.111:983): avc: denied { setattr } for pid=10210 comm="usbmuxd" name="lockdown" dev="dm-2" ino=1217336 scontext=system_u:system_r:usbmuxd_t:s0 tcontext=system_u:system_r:usbmuxd_t:s0 tclass=dir permissive=0 type=SYSCALL msg=audit(1412848764.111:983): arch=x86_64 syscall=chmod success=no exit=EACCES a0=20982b0 a1=5fd a2=7fff7af817a0 a3=20 items=0 ppid=1 pid=10210 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=usbmuxd exe=/usr/sbin/usbmuxd subj=system_u:system_r:usbmuxd_t:s0 key=(null) Hash: usbmuxd,usbmuxd_t,usbmuxd_t,dir,setattr
(In reply to Christophe Fergeau from comment #2) > Things seem better after > chcon system_u:system_r:usbmuxd_t:s0 /var/lib/lockdown > chcon system_u:system_r:usbmuxd_t:s0 /var/lib/lockdown/* > (I had tried a restorecon on this dir first but this did not change anything) > > /var/lib/lockdown is not owned by any package, I don't know if that's > intentional. This is wrong. You assign process type instead of file type. You want to use usbmuxd_var_lib_t. How is /var/lib/lockdown placed?
> > /var/lib/lockdown is not owned by any package, I don't know if that's > > intentional. > > This is wrong. You assign process type instead of file type. You want to use > usbmuxd_var_lib_t. I've not made any changes to the SELinux bits what so ever > How is /var/lib/lockdown placed? What do you mean by this?
(In reply to Peter Robinson from comment #5) > > > /var/lib/lockdown is not owned by any package, I don't know if that's > > > intentional. > > > > This is wrong. You assign process type instead of file type. You want to use > > usbmuxd_var_lib_t. > > I've not made any changes to the SELinux bits what so ever > > > How is /var/lib/lockdown placed? > > What do you mean by this? Does it come from usbmuxd?
> Does it come from usbmuxd? We don't package it, and it's never been referenced before. It might be something that's created or new in the re-arch that happened with the last release but at a quick code grep I couldn't see anything.
It's referenced userpref_get_config_dir() in libimobiledevice/common/userpref.c , but I could not find what creates it.
(In reply to Miroslav Grepl from comment #4) > This is wrong. You assign process type instead of file type. You want to use > usbmuxd_var_lib_t. > Not surprising that it's totally wrong, I'm very clueless about selinux ;)
(In reply to Christophe Fergeau from comment #8) > It's referenced userpref_get_config_dir() in > libimobiledevice/common/userpref.c , but I could not find what creates it. Ah, libimobiledevice, I was mostly looking in *usbmux and libplist. There's a new upstream release just out, I'm going to build it and it's deps today so it might be worth re-testing with that to ensure we only need to do it once
So the new release is on it's way to F-21 as part of the gnome 3.14.1 update as there was some cross dependencies
Christophe: I'm going to dupe this bug to the F-20 so it's all tracked in the one place. The latest versions is now available in F-21 updates-testing so if you could test that and provide the details on the other bug that would be fab. We'll get it fixed against the latest release (everyone will want it for iOS8 support) *** This bug has been marked as a duplicate of bug 1128477 ***