rust-u2f icon indicating copy to clipboard operation
rust-u2f copied to clipboard

Published 20 hours ago verified publisher icon danstiner

Creating UHID device fails on Fedora Build

Open DeeGeeTill opened this issue 1 year ago • 1 comments

Bug Description

The program fails to load on Fedora (or other distros with SELinux[^1] in enforcement mode). It fails silently with the following[^2] message:

fedora system-daemon[133194]: frame decoded from buffer
fedora system-daemon[133194]: Running getpwuid_r for user #1000
fedora system-daemon[133194]: Loading user with uid 1000
fedora system-daemon[133194]: Creating UHID virtual U2F device
fedora system-daemon[133194]: Relaying create device response, success:false
fedora system-daemon[133194]: Creating UHID device failed: I/O error: Permission denied (os error 13)
fedora system-daemon[133194]: flushing framed transport
fedora system-daemon[133194]: writing;
fedora system-daemon[133194]: framed transport flushed
fedora system-daemon[133194]: Spawned handler finished with: Err(Io(Os { code: 13, kind: PermissionDenied, message: "Permission denied" }))

Further details

  • I was building the repository from source using the included Makefile, according to the directions in the README.
    • I had some trouble installing the package using the instructions in the README. I kept getting stuff along the lines of:
    pygpgme couold not be installed. This means GPG verification is not possible for any RPM installed on your system... etc.
  • It didn't work when I first started testing, I kept getting the error above in the logs.

SELinux Workaround

  1. Uninstall rust-u2f with the Makefile. Make sure everything is as stock as possible.
  2. Go to the linux directory in the project. Run make install. Then:
sudo ausearch -m avc -ts recent | audit2allow
  1. Check the rule generated actually references uhid_devices. Mine looked like this:
allow init_t uhid_device_t:chr_file { open read write };
  1. Apply the rule.
sudo ausearch -m avc -ts recent | audit2allow -M rust-softu2f
sudo semodule -i rust-softu2f.pp
  1. Then, make uninstall && make install again, should work now. Verify by listing the SELinux policies and checking the output of journalctl as normal.

Environment

  • OS: Fedora 39 Kernel 6.5.6-300.fc39.x86_64
  • SELinux: Enforcing
  • Browser: Mozilla Firefox

Reproduction

  • Try to build the project following README instructions on Fedora 39 (SELinux in enforcing mode), testing with WebAuthn on Mozilla Firefox.

I don't know whether this is in scope or not, I'm mainly writing this for people trying to Google this issue. Maybe we could add something to the README or bundling some SELinux policies with the repo? Again, I'm not sure. Let me know if you want any more detail/logs/reproduction tips etc.

[^1]: When I tried to fix this for the first time (just modifying chmod), SELinux blocked my changes. [^2]: From journalctl -f -u softu2f

DeeGeeTill avatar Apr 17 '24 20:04 DeeGeeTill