Description of problem: How to reproduce: 1. Plug in iPhone using USB cable connecting to PC. 2. Turn on Personal Hotspot on the iPhone. Expected result: 1. No SELinux alert. 2. PC connects to the personal hotspot network via USB. Actual result: 1. SELinux alert. Additional comments: - It used to work on F20 without issues after SELinux updates a few weeks back. - Even after following the SELinux troubleshoot to add the locally generated 'MyPol' policy from the audit2allow does not fix the problem, so there could be something else has been broken as well in the updates. SELinux is preventing /usr/sbin/usbmuxd from using the 'fowner' capabilities. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that usbmuxd should have the fowner capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep usbmuxd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:usbmuxd_t:s0 Target Context system_u:system_r:usbmuxd_t:s0 Target Objects [ capability ] Source usbmuxd Source Path /usr/sbin/usbmuxd Port <Unknown> Host (removed) Source RPM Packages usbmuxd-1.0.9-0.6.c24463e.fc20.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-183.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.16.4-200.fc20.x86_64 #1 SMP Mon Oct 6 12:57:00 UTC 2014 x86_64 x86_64 Alert Count 2 First Seen 2014-10-14 23:32:19 SGT Last Seen 2014-10-14 23:36:40 SGT Local ID e55750ff-1f69-4017-afd4-40b3175dfe67 Raw Audit Messages type=AVC msg=audit(1413301000.462:504): avc: denied { fowner } for pid=3663 comm="usbmuxd" capability=3 scontext=system_u:system_r:usbmuxd_t:s0 tcontext=system_u:system_r:usbmuxd_t:s0 tclass=capability permissive=0 type=SYSCALL msg=audit(1413301000.462:504): arch=x86_64 syscall=chmod success=no exit=EPERM a0=125f4a0 a1=5fd a2=7fff3b1ebab0 a3=0 items=0 ppid=1 pid=3663 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=usbmuxd exe=/usr/sbin/usbmuxd subj=system_u:system_r:usbmuxd_t:s0 key=(null) Hash: usbmuxd,usbmuxd_t,usbmuxd_t,capability,fowner Additional info: reporter: libreport-2.2.3 hashmarkername: setroubleshoot kernel: 3.16.4-200.fc20.x86_64 type: libreport
We have this in F21.
commit 9fd6bce90233e39a1190f2bab340c21d1c84fb98 Author: Lukas Vrabec <lvrabec> Date: Wed Oct 15 11:15:03 2014 +0200 Add fowner cap in usbmuxd_t BZ (1152662)
selinux-policy-3.12.1-192.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-192.fc20
Created attachment 949440 [details] ipheth connection timed out I have downloaded and installed this selinux-policy-3.12.1-192.fc20 from koji into my system. # yum list installed selinux-policy* Loaded plugins: langpacks, refresh-packagekit Installed Packages selinux-policy.noarch 3.12.1-192.fc20 installed selinux-policy-devel.noarch 3.12.1-192.fc20 installed selinux-policy-doc.noarch 3.12.1-192.fc20 installed selinux-policy-targeted.noarch 3.12.1-192.fc20 installed Now the SELinux alert does not pop up anymore, however, the USB network connection is still not working. In my additional comments above I have suggested that there could be other thing(s) being broken by the previous update. I just notice some journal entries that could be related to this problem. See attached.
Package selinux-policy-3.12.1-192.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-192.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-13495/selinux-policy-3.12.1-192.fc20 then log in and leave karma (feedback).
I have leave a feedback as requested. So what do I do next? Do I need to open another bug for the USB network connection problem? I still have journal entries around September where they show the ipheth was still working in my F20 system. Let me know if I need to attach those as well.
selinux-policy-3.12.1-192.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
Are there any humans beside me reading this :)
Could you attach audit.log? I added usbmuxd guys, for help.
Created attachment 951989 [details] audit.log Attached is my audit.log as per requested. Thanks.
Description of problem: Connect iPhone 4s to USB Additional info: reporter: libreport-2.2.3 hashmarkername: setroubleshoot kernel: 3.16.6-200.fc20.x86_64 type: libreport
Hi, In your audit log, there are no AVCs.
Created attachment 953089 [details] audit.log.2 Not sure if understand you correctly. Do you expect to see the past AVCs before I installed the revised selinux-policy package? After installing the package, I don't get SELinux alert anymore though the USB connection is broken. In any case, if you need the one with AVCs, they are in the rotated audit.log.2 and audit.log.4. Attached is the audit.log.2 for your perusal.
OK, I understand you. Can you re-test it in permissive mode? type: "#setenforce 0" And try if USB connection is still broken. Thank you.
Created attachment 955648 [details] usbmuxd sealert in permissive mode In enforcing mode, I do not get any sealert anymore when connecting my iPhone via USB as I explained before. However, after setenforce 0, I get a new sealert from usbmuxd. Please see attached. Following the instruction to add mypol does not help (it only helps to suppress the alert but USB network connection is still not working), so I revert it back again. I got plenty of timeout entries from iptheth in my journal while doing the above test. Nov 10 08:25:18 igloo kernel: ipheth 2-1.2.1.2.1.4:4.2: ipheth_tx_timeout: TX timeout Nov 10 08:25:28 igloo kernel: ipheth 2-1.2.1.2.1.4:4.2: ipheth_tx_timeout: TX timeout Nov 10 08:25:37 igloo kernel: ipheth 2-1.2.1.2.1.4:4.2: ipheth_sndbulk_callback: urb status: -71 Nov 10 08:25:37 igloo kernel: ipheth 2-1.2.1.2.1.4:4.2: ipheth_rcvbulk_callback: urb status: -71
Any help here?
The timeouts look to be a kernel issue but it's likely a bad cable or connection or similar.
IMHO, that's not the root cause. I have just tried with another cable and by connecting it directly to the computer USB port. Still no joy there. Note that, the USB connection was working just fine a few months ago, even with a cheap Chinese-made cable connecting to a USB hub which is connected to a KVM switch with USB port connecting to my computer.
(In reply to Yao Wei Tjong from comment #18) > IMHO, that's not the root cause. I have just tried with another cable and by > connecting it directly to the computer USB port. Still no joy there. > > Note that, the USB connection was working just fine a few months ago, even > with a cheap Chinese-made cable connecting to a USB hub which is connected > to a KVM switch with USB port connecting to my computer. were you using the same kernel then and now?
I can say for sure it was not. When first realized the USB connection is broken, I did try to boot to an older kernel but the problem persists. I only keep one old kernel so I could not try using other older kernels. It is possible that the kernel has been updated more than once before I realize the USB connection is broken because I only do tethering once in a while.
There was a kernel update a few days ago. Currently I am running 3.17.3-200.fc20.x86_64 and it seems to resolve my issue. The ipheth works as it was before again :) Here are the journal output when it works. Notice the timeout entries are gone. $ journalctl -b |grep ipheth Nov 26 11:56:55 igloo kernel: ipheth 2-1.2.1.2.1.4:4.2: Apple iPhone USB Ethernet device attached Nov 26 11:56:55 igloo kernel: usbcore: registered new interface driver ipheth Nov 26 11:56:56 igloo NetworkManager[1206]: <info> (eth0): new Ethernet device (driver: 'ipheth' ifindex: 4) As it works for me now, I close my issue.