1150920 – SELinux alerts when plugging in an iphone

Bug 1150920 - SELinux alerts when plugging in an iphone

Summary: SELinux alerts when plugging in an iphone

Keywords:
Status:	CLOSED DUPLICATE of bug 1128477
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	usbmuxd
Sub Component:
Version:	21
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Peter Robinson
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-10-09 08:04 UTC by Christophe Fergeau
Modified:	2014-10-17 09:37 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-10-17 09:37:56 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Christophe Fergeau 2014-10-09 08:04:45 UTC

When I plugin my iPhone I get a bunch of usbmuxd-related selinux alerts:


Additional Information:
Source Context                system_u:system_r:usbmuxd_t:s0
Target Context                system_u:object_r:var_lib_t:s0
Target Objects                /var/lib/lockdown/SystemConfiguration.plist [ file
                              ]
Source                        usbmuxd
Source Path                   /usr/sbin/usbmuxd
Port                          <Unknown>
Host                          edamame.cdg.redhat.com
Source RPM Packages           usbmuxd-1.0.9-0.6.c24463e.fc21.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-84.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     edamame.cdg.redhat.com
Platform                      Linux edamame.cdg.redhat.com
                              3.16.3-200.fc20.x86_64 #1 SMP Wed Sep 17 22:34:21
                              UTC 2014 x86_64 x86_64
Alert Count                   7
First Seen                    2014-10-09 09:38:36 CEST
Last Seen                     2014-10-09 09:39:39 CEST
Local ID                      df402cb0-76fd-4f3d-af4d-a5b0f8bb5e84

Raw Audit Messages
type=AVC msg=audit(1412840379.91:602): avc:  denied  { write } for  pid=9742 comm="usbmuxd" name="SystemConfiguration.plist" dev="dm-2" ino=1217375 scontext=system_u:system_r:usbmuxd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0


type=SYSCALL msg=audit(1412840379.91:602): arch=x86_64 syscall=open success=no exit=EACCES a0=7de820 a1=241 a2=1b6 a3=241 items=0 ppid=1 pid=9742 auid=4294967295 uid=113 gid=113 euid=113 suid=113 fsuid=113 egid=113 sgid=113 fsgid=113 tty=(none) ses=4294967295 comm=usbmuxd exe=/usr/sbin/usbmuxd subj=system_u:system_r:usbmuxd_t:s0 key=(null)

Hash: usbmuxd,usbmuxd_t,var_lib_t,file,write




Additional Information:
Source Context                system_u:system_r:usbmuxd_t:s0
Target Context                system_u:object_r:var_lib_t:s0
Target Objects                /var/lib/lockdown/SystemConfiguration.plist [ file
                              ]
Source                        usbmuxd
Source Path                   /usr/sbin/usbmuxd
Port                          <Unknown>
Host                          edamame.cdg.redhat.com
Source RPM Packages           usbmuxd-1.0.9-0.6.c24463e.fc21.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-84.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     edamame.cdg.redhat.com
Platform                      Linux edamame.cdg.redhat.com
                              3.16.3-200.fc20.x86_64 #1 SMP Wed Sep 17 22:34:21
                              UTC 2014 x86_64 x86_64
Alert Count                   26
First Seen                    2014-10-03 11:08:33 CEST
Last Seen                     2014-10-09 09:39:39 CEST
Local ID                      cce68f42-44f1-454d-bd51-12c1fd5e01fa

Raw Audit Messages
type=AVC msg=audit(1412840379.91:601): avc:  denied  { read } for  pid=9742 comm="usbmuxd" name="SystemConfiguration.plist" dev="dm-2" ino=1217375 scontext=system_u:system_r:usbmuxd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0


type=SYSCALL msg=audit(1412840379.91:601): arch=x86_64 syscall=open success=no exit=EACCES a0=7de820 a1=0 a2=1b6 a3=241 items=0 ppid=1 pid=9742 auid=4294967295 uid=113 gid=113 euid=113 suid=113 fsuid=113 egid=113 sgid=113 fsgid=113 tty=(none) ses=4294967295 comm=usbmuxd exe=/usr/sbin/usbmuxd subj=system_u:system_r:usbmuxd_t:s0 key=(null)

Hash: usbmuxd,usbmuxd_t,var_lib_t,file,read



Additional Information:
Source Context                system_u:system_r:usbmuxd_t:s0
Target Context                system_u:object_r:var_lib_t:s0
Target Objects                /var/lib/lockdown/3b022cb97f40d986007096de3029a3dc
                              cab4b3fa.plist [ file ]
Source                        usbmuxd
Source Path                   /usr/sbin/usbmuxd
Port                          <Unknown>
Host                          edamame.cdg.redhat.com
Source RPM Packages           usbmuxd-1.0.9-0.6.c24463e.fc21.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-84.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     edamame.cdg.redhat.com
Platform                      Linux edamame.cdg.redhat.com
                              3.16.3-200.fc20.x86_64 #1 SMP Wed Sep 17 22:34:21
                              UTC 2014 x86_64 x86_64
Alert Count                   15
First Seen                    2014-10-03 11:08:33 CEST
Last Seen                     2014-10-09 09:39:29 CEST
Local ID                      1ac758fa-be42-4ae7-8ff1-ac0b3f3ded82

Raw Audit Messages
type=AVC msg=audit(1412840369.25:590): avc:  denied  { getattr } for  pid=9749 comm="usbmuxd" path="/var/lib/lockdown/3b022cb97f40d986007096de3029a3dccab4b3fa.plist" dev="dm-2" ino=1217376 scontext=system_u:system_r:usbmuxd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0


type=SYSCALL msg=audit(1412840369.25:590): arch=x86_64 syscall=stat success=no exit=EACCES a0=7fc9a4001d50 a1=7fc9b35b3cb0 a2=7fc9b35b3cb0 a3=50 items=0 ppid=1 pid=9749 auid=4294967295 uid=113 gid=113 euid=113 suid=113 fsuid=113 egid=113 sgid=113 fsgid=113 tty=(none) ses=4294967295 comm=usbmuxd exe=/usr/sbin/usbmuxd subj=system_u:system_r:usbmuxd_t:s0 key=(null)

Hash: usbmuxd,usbmuxd_t,var_lib_t,file,getattr





Additional Information:
Source Context                system_u:system_r:usbmuxd_t:s0
Target Context                system_u:object_r:var_lib_t:s0
Target Objects                /var/lib/lockdown/3b022cb97f40d986007096de3029a3dc
                              cab4b3fa.plist [ file ]
Source                        usbmuxd
Source Path                   /usr/sbin/usbmuxd
Port                          <Unknown>
Host                          edamame.cdg.redhat.com
Source RPM Packages           usbmuxd-1.0.9-0.6.c24463e.fc21.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-84.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     edamame.cdg.redhat.com
Platform                      Linux edamame.cdg.redhat.com
                              3.16.3-200.fc20.x86_64 #1 SMP Wed Sep 17 22:34:21
                              UTC 2014 x86_64 x86_64
Alert Count                   15
First Seen                    2014-10-03 11:08:33 CEST
Last Seen                     2014-10-09 09:39:29 CEST
Local ID                      1ac758fa-be42-4ae7-8ff1-ac0b3f3ded82

Raw Audit Messages
type=AVC msg=audit(1412840369.25:590): avc:  denied  { getattr } for  pid=9749 comm="usbmuxd" path="/var/lib/lockdown/3b022cb97f40d986007096de3029a3dccab4b3fa.plist" dev="dm-2" ino=1217376 scontext=system_u:system_r:usbmuxd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0


type=SYSCALL msg=audit(1412840369.25:590): arch=x86_64 syscall=stat success=no exit=EACCES a0=7fc9a4001d50 a1=7fc9b35b3cb0 a2=7fc9b35b3cb0 a3=50 items=0 ppid=1 pid=9749 auid=4294967295 uid=113 gid=113 euid=113 suid=113 fsuid=113 egid=113 sgid=113 fsgid=113 tty=(none) ses=4294967295 comm=usbmuxd exe=/usr/sbin/usbmuxd subj=system_u:system_r:usbmuxd_t:s0 key=(null)

Hash: usbmuxd,usbmuxd_t,var_lib_t,file,getattr




Additional Information:
Source Context                system_u:system_r:usbmuxd_t:s0
Target Context                system_u:object_r:var_lib_t:s0
Target Objects                /var/lib/lockdown/3b022cb97f40d986007096de3029a3dc
                              cab4b3fa.plist [ file ]
Source                        usbmuxd
Source Path                   /usr/sbin/usbmuxd
Port                          <Unknown>
Host                          edamame.cdg.redhat.com
Source RPM Packages           usbmuxd-1.0.9-0.6.c24463e.fc21.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-84.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     edamame.cdg.redhat.com
Platform                      Linux edamame.cdg.redhat.com
                              3.16.3-200.fc20.x86_64 #1 SMP Wed Sep 17 22:34:21
                              UTC 2014 x86_64 x86_64
Alert Count                   1
First Seen                    2014-10-09 09:39:25 CEST
Last Seen                     2014-10-09 09:39:25 CEST
Local ID                      542b7450-75be-4293-a74f-d30b7816316f

Raw Audit Messages
type=AVC msg=audit(1412840365.31:585): avc:  denied  { unlink } for  pid=9280 comm="usbmuxd" name="3b022cb97f40d986007096de3029a3dccab4b3fa.plist" dev="dm-2" ino=1217376 scontext=system_u:system_r:usbmuxd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0


type=SYSCALL msg=audit(1412840365.31:585): arch=x86_64 syscall=unlink success=no exit=EACCES a0=203a0b0 a1=0 a2=28 a3=51 items=0 ppid=1 pid=9280 auid=4294967295 uid=113 gid=113 euid=113 suid=113 fsuid=113 egid=113 sgid=113 fsgid=113 tty=(none) ses=4294967295 comm=usbmuxd exe=/usr/sbin/usbmuxd subj=system_u:system_r:usbmuxd_t:s0 key=(null)

Hash: usbmuxd,usbmuxd_t,var_lib_t,file,unlink

Comment 1 Christophe Fergeau 2014-10-09 08:05:57 UTC

usbmuxd version is usbmuxd-1.0.9-0.6.c24463e.fc21.x86_64

Comment 2 Christophe Fergeau 2014-10-09 08:36:51 UTC

Things seem better after
chcon system_u:system_r:usbmuxd_t:s0 /var/lib/lockdown
chcon system_u:system_r:usbmuxd_t:s0 /var/lib/lockdown/*
(I had tried a restorecon on this dir first but this did not change anything)

/var/lib/lockdown is not owned by any package, I don't know if that's intentional.

Comment 3 Christophe Fergeau 2014-10-09 10:01:06 UTC

Actually even after doing these chcon, I still got this when unlocking my screen:

Additional Information:
Source Context                system_u:system_r:usbmuxd_t:s0
Target Context                system_u:system_r:usbmuxd_t:s0
Target Objects                /var/lib/lockdown [ dir ]
Source                        usbmuxd
Source Path                   /usr/sbin/usbmuxd
Port                          <Unknown>
Host                          edamame.cdg.redhat.com
Source RPM Packages           usbmuxd-1.0.9-0.6.c24463e.fc21.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-85.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     edamame.cdg.redhat.com
Platform                      Linux edamame.cdg.redhat.com
                              3.16.3-200.fc20.x86_64 #1 SMP Wed Sep 17 22:34:21
                              UTC 2014 x86_64 x86_64
Alert Count                   5
First Seen                    2014-10-09 10:32:08 CEST
Last Seen                     2014-10-09 11:59:24 CEST
Local ID                      db8d4441-d19f-4220-8b37-2287e3b95f91

Raw Audit Messages
type=AVC msg=audit(1412848764.111:983): avc:  denied  { setattr } for  pid=10210 comm="usbmuxd" name="lockdown" dev="dm-2" ino=1217336 scontext=system_u:system_r:usbmuxd_t:s0 tcontext=system_u:system_r:usbmuxd_t:s0 tclass=dir permissive=0


type=SYSCALL msg=audit(1412848764.111:983): arch=x86_64 syscall=chmod success=no exit=EACCES a0=20982b0 a1=5fd a2=7fff7af817a0 a3=20 items=0 ppid=1 pid=10210 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=usbmuxd exe=/usr/sbin/usbmuxd subj=system_u:system_r:usbmuxd_t:s0 key=(null)

Hash: usbmuxd,usbmuxd_t,usbmuxd_t,dir,setattr

Comment 4 Miroslav Grepl 2014-10-14 13:01:41 UTC

(In reply to Christophe Fergeau from comment #2)
> Things seem better after
> chcon system_u:system_r:usbmuxd_t:s0 /var/lib/lockdown
> chcon system_u:system_r:usbmuxd_t:s0 /var/lib/lockdown/*
> (I had tried a restorecon on this dir first but this did not change anything)
> 
> /var/lib/lockdown is not owned by any package, I don't know if that's
> intentional.

This is wrong. You assign process type instead of file type. You want to use usbmuxd_var_lib_t.

How is /var/lib/lockdown placed?

Comment 5 Peter Robinson 2014-10-14 13:26:07 UTC

> > /var/lib/lockdown is not owned by any package, I don't know if that's
> > intentional.
> 
> This is wrong. You assign process type instead of file type. You want to use
> usbmuxd_var_lib_t.

I've not made any changes to the SELinux bits what so ever

> How is /var/lib/lockdown placed?

What do you mean by this?

Comment 6 Miroslav Grepl 2014-10-14 13:57:41 UTC

(In reply to Peter Robinson from comment #5)
> > > /var/lib/lockdown is not owned by any package, I don't know if that's
> > > intentional.
> > 
> > This is wrong. You assign process type instead of file type. You want to use
> > usbmuxd_var_lib_t.
> 
> I've not made any changes to the SELinux bits what so ever
> 
> > How is /var/lib/lockdown placed?
> 
> What do you mean by this?

Does it come from usbmuxd?

Comment 7 Peter Robinson 2014-10-14 14:02:34 UTC

> Does it come from usbmuxd?

We don't package it, and it's never been referenced before. It might be something that's created or new in the re-arch that happened with the last release but at a quick code grep I couldn't see anything.

Comment 8 Christophe Fergeau 2014-10-15 07:40:30 UTC

It's referenced userpref_get_config_dir() in libimobiledevice/common/userpref.c , but I could not find what creates it.

Comment 9 Christophe Fergeau 2014-10-15 07:41:10 UTC

(In reply to Miroslav Grepl from comment #4)
> This is wrong. You assign process type instead of file type. You want to use
> usbmuxd_var_lib_t.
> 

Not surprising that it's totally wrong, I'm very clueless about selinux ;)

Comment 10 Peter Robinson 2014-10-15 08:05:37 UTC

(In reply to Christophe Fergeau from comment #8)
> It's referenced userpref_get_config_dir() in
> libimobiledevice/common/userpref.c , but I could not find what creates it.

Ah, libimobiledevice, I was mostly looking in *usbmux and libplist.

There's a new upstream release just out, I'm going to build it and it's deps today so it might be worth re-testing with that to ensure we only need to do it once

Comment 11 Peter Robinson 2014-10-15 16:21:07 UTC

So the new release is on it's way to F-21 as part of the gnome 3.14.1 update as there was some cross dependencies

Comment 12 Peter Robinson 2014-10-17 09:37:56 UTC

Christophe: I'm going to dupe this bug to the F-20 so it's all tracked in the one place. The latest versions is now available in F-21 updates-testing so if you could test that and provide the details on the other bug that would be fab. We'll get it fixed against the latest release (everyone will want it for iOS8 support)

*** This bug has been marked as a duplicate of bug 1128477 ***

Note You need to log in before you can comment on or make changes to this bug.