996294 – SELinux is preventing /usr/sbin/usbmuxd from 'bind' accesses on the netlink_kobject_uevent_socket .

Bug 996294 - SELinux is preventing /usr/sbin/usbmuxd from 'bind' accesses on the netlink_kobject_uevent_socket .

Summary: SELinux is preventing /usr/sbin/usbmuxd from 'bind' accesses on the netlink_k...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	19
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:662648a2d43c7a62e1963632d7e...
Duplicates (2):	996141 997644 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-08-12 21:01 UTC by Mark in UK
Modified:	2013-08-22 00:54 UTC (History)
CC List:	9 users (show)
Fixed In Version:	selinux-policy-3.12.1-71.fc19
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-08-22 00:54:40 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Mark in UK 2013-08-12 21:01:43 UTC

Description of problem:
Connecting an IPAD  via USB after upgrading to Fedora 19

Worked perfectly in Fedora 18
SELinux is preventing /usr/sbin/usbmuxd from 'bind' accesses on the netlink_kobject_uevent_socket .

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that usbmuxd should be allowed bind access on the  netlink_kobject_uevent_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep usbmuxd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:usbmuxd_t:s0
Target Context                system_u:system_r:usbmuxd_t:s0
Target Objects                 [ netlink_kobject_uevent_socket ]
Source                        usbmuxd
Source Path                   /usr/sbin/usbmuxd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           usbmuxd-1.0.8-7.fc19.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-69.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.10.5-201.fc19.x86_64 #1 SMP Wed
                              Aug 7 16:25:24 UTC 2013 x86_64 x86_64
Alert Count                   3
First Seen                    2013-08-12 21:25:44 BST
Last Seen                     2013-08-12 21:45:14 BST
Local ID                      22112d6b-4c38-4239-91ed-95f84685435c

Raw Audit Messages
type=AVC msg=audit(1376340314.673:576): avc:  denied  { bind } for  pid=8507 comm="usbmuxd" scontext=system_u:system_r:usbmuxd_t:s0 tcontext=system_u:system_r:usbmuxd_t:s0 tclass=netlink_kobject_uevent_socket


type=SYSCALL msg=audit(1376340314.673:576): arch=x86_64 syscall=bind success=no exit=EACCES a0=5 a1=2106510 a2=c a3=7fff1fdf50d0 items=0 ppid=1 pid=8507 auid=4294967295 uid=113 gid=113 euid=113 suid=113 fsuid=113 egid=113 sgid=113 fsgid=113 ses=4294967295 tty=(none) comm=usbmuxd exe=/usr/sbin/usbmuxd subj=system_u:system_r:usbmuxd_t:s0 key=(null)

Hash: usbmuxd,usbmuxd_t,usbmuxd_t,netlink_kobject_uevent_socket,bind

Additional info:
reporter:       libreport-2.1.6
hashmarkername: setroubleshoot
kernel:         3.10.5-201.fc19.x86_64
type:           libreport

Comment 1 Daniel Walsh 2013-08-13 21:44:41 UTC

88ea30f1ecf6f361c7baa56305ec4ad8f38c1940 fixes this in git.

Comment 2 Daniel Walsh 2013-08-13 22:10:09 UTC

*** Bug 996141 has been marked as a duplicate of this bug. ***

Comment 3 Moe Ell 2013-08-14 23:33:38 UTC

Same issue here.

But with iphone 4G.

SELinux is preventing /usr/sbin/usbmuxd from getattr access on the netlink_kobject_uevent_socket .

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that usbmuxd should be allowed getattr access on the  netlink_kobject_uevent_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep usbmuxd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:usbmuxd_t:s0
Target Context                system_u:system_r:usbmuxd_t:s0
Target Objects                 [ netlink_kobject_uevent_socket ]
Source                        usbmuxd
Source Path                   /usr/sbin/usbmuxd
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           usbmuxd-1.0.8-7.fc19.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-69.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 3.10.5-201.fc19.x86_64
                              #1 SMP Wed Aug 7 16:25:24 UTC 2013 x86_64 x86_64
Alert Count                   1
First Seen                    2013-08-15 00:27:53 UTC
Last Seen                     2013-08-15 00:27:53 UTC
Local ID                      a8b16b75-ac58-414f-8b35-b85d1a856666

Raw Audit Messages
type=AVC msg=audit(1376526473.662:993): avc:  denied  { getattr } for  pid=9541 comm="usbmuxd" scontext=system_u:system_r:usbmuxd_t:s0 tcontext=system_u:system_r:usbmuxd_t:s0 tclass=netlink_kobject_uevent_socket


type=SYSCALL msg=audit(1376526473.662:993): arch=x86_64 syscall=getsockname success=yes exit=0 a0=5 a1=7fff80925360 a2=7fff8092535c a3=7fff80924300 items=0 ppid=1 pid=9541 auid=4294967295 uid=113 gid=113 euid=113 suid=113 fsuid=113 egid=113 sgid=113 fsgid=113 ses=4294967295 tty=(none) comm=usbmuxd exe=/usr/sbin/usbmuxd subj=system_u:system_r:usbmuxd_t:s0 key=(null)

Hash: usbmuxd,usbmuxd_t,usbmuxd_t,netlink_kobject_uevent_socket,getattr



Additional information:
kernel-3.10.3-300.fc19.x86_64

Comment 4 Daniel Walsh 2013-08-15 18:33:13 UTC

We have a fix in git,  Should be fixed in selinux-policy-3.12.1-71.fc19.noarch

Comment 5 David Timms 2013-08-15 21:15:18 UTC

*** Bug 997644 has been marked as a duplicate of this bug. ***

Comment 6 Moe Ell 2013-08-15 21:23:34 UTC

(In reply to Daniel Walsh from comment #4)
> We have a fix in git,  Should be fixed in
> selinux-policy-3.12.1-71.fc19.noarch

What does GIT stand for?
And where I can find that package?

Thanks!

Comment 7 Daniel Walsh 2013-08-16 18:02:38 UTC

Git is the upstream repository for Fedora Policy.  Miroslav will backport the fix into F19 in the next update.

Comment 8 Moe Ell 2013-08-17 01:26:06 UTC

Thanks for the explanation.
Can those package be download prior of their release?
If yes where I can find them?

Thanks Mr.Walsh for your prompt responses.

Comment 9 Daniel Walsh 2013-08-17 10:44:46 UTC

Miroslav was on vacation, he should probably be working on this early next week.  Then you will be able to grab it from updates-testing.

If you need the fix now you can use the audit2allow solution.

Comment 10 Will Foster 2013-08-17 13:37:30 UTC

Description of problem:
When enabling USB power savings, Selinux complains.  When trying to set selinux to allow
access it doesn't seem to work

== enabling usb autosuspend ==
 cd /etc/udev/rules.d/
touch usb_power_save.rules
ACTION=="add", SUBSYSTEM=="usb", TEST=="power/control" ATTR{power/control}="auto"
ACTION=="add", SUBSYSTEM=="usb", TEST=="power/autosuspend" ATTR{power/autosuspend}="2"

== selinux recommended policy fix ==
grep usbmuxd /var/log/audit/audit.log | audit2allow -M mypol
semodule -i mypol.pp

** this seems to work initially but after reboot or some amount of time in suspend/resume it complains again.

Additional info:
reporter:       libreport-2.1.6
hashmarkername: setroubleshoot
kernel:         3.10.6-200.fc19.x86_64
type:           libreport

Comment 11 Jonathan Gazeley 2013-08-18 21:27:10 UTC

Description of problem:
Connected an iPhone 5 to the computer

Additional info:
reporter:       libreport-2.1.6
hashmarkername: setroubleshoot
kernel:         3.10.6-200.fc19.x86_64
type:           libreport

Comment 12 Miroslav Grepl 2013-08-20 08:15:48 UTC

A new build is done.

http://koji.fedoraproject.org/koji/buildinfo?buildID=457610

Comment 13 Fedora Update System 2013-08-20 08:27:53 UTC

selinux-policy-3.12.1-71.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-71.fc19

Comment 14 Fedora Update System 2013-08-21 00:16:47 UTC

Package selinux-policy-3.12.1-71.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-71.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-15088/selinux-policy-3.12.1-71.fc19
then log in and leave karma (feedback).

Comment 15 Fedora Update System 2013-08-22 00:54:40 UTC

selinux-policy-3.12.1-71.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.