Creating UHID device fails on Fedora Build

[DeeGeeTill]

Bug Description

The program fails to load on Fedora (or other distros with SELinux[^1] in enforcement mode). It fails silently with the following[^2] message:

fedora system-daemon[133194]: frame decoded from buffer
fedora system-daemon[133194]: Running getpwuid_r for user #1000
fedora system-daemon[133194]: Loading user with uid 1000
fedora system-daemon[133194]: Creating UHID virtual U2F device
fedora system-daemon[133194]: Relaying create device response, success:false
fedora system-daemon[133194]: Creating UHID device failed: I/O error: Permission denied (os error 13)
fedora system-daemon[133194]: flushing framed transport
fedora system-daemon[133194]: writing;
fedora system-daemon[133194]: framed transport flushed
fedora system-daemon[133194]: Spawned handler finished with: Err(Io(Os { code: 13, kind: PermissionDenied, message: "Permission denied" }))

Further details

• I was building the repository from source using the included Makefile, according to the directions in the README.
  • I had some trouble installing the package using the instructions in the README. I kept getting stuff along the lines of:

    pygpgme couold not be installed. This means GPG verification is not possible for any RPM installed on your system... etc.

  • This seems to be an issue with other repositories that use PackageCloud.
  • I uninstalled this before continuing.
• It didn't work when I first started testing, I kept getting the error above in the logs.

SELinux Workaround

1. Uninstall rust-u2f with the Makefile. Make sure everything is as stock as possible.
2. Go to the linux directory in the project. Run make install. Then:

   sudo ausearch -m avc -ts recent | audit2allow

3. Check the rule generated actually references uhid_devices. Mine looked like this:

   allow init_t uhid_device_t:chr_file { open read write };

4. Apply the rule.

   sudo ausearch -m avc -ts recent | audit2allow -M rust-softu2f
   sudo semodule -i rust-softu2f.pp

5. Then, make uninstall && make install again, should work now. Verify by listing the SELinux policies and checking the output of journalctl as normal.

Environment

• OS: Fedora 39 Kernel 6.5.6-300.fc39.x86_64
• SELinux: Enforcing
• Browser: Mozilla Firefox

Reproduction

• Try to build the project following README instructions on Fedora 39 (SELinux in enforcing mode), testing with WebAuthn on Mozilla Firefox.

---

I don't know whether this is in scope or not, I'm mainly writing this for people trying to Google this issue. Maybe we could add something to the README or bundling some SELinux policies with the repo? Again, I'm not sure. Let me know if you want any more detail/logs/reproduction tips etc.

[^1]: When I tried to fix this for the first time (just modifying chmod), SELinux blocked my changes. [^2]: From journalctl -f -u softu2f

[DeeGeeTill]

Update

After the computer is rebooted, everything stops working with a new error this time. Error 19?

Apr 18 08:42:19 fedora system-daemon[20055]: Starting rust-u2f system daemon
Apr 18 08:42:19 fedora system-daemon[20055]: LISTEN_PID = Ok("20055"); LISTEN_FDS = Ok("1")
Apr 18 08:42:19 fedora system-daemon[20055]: SocketServer: accepted stream
Apr 18 08:42:19 fedora system-daemon[20055]: ConnectionHandler::call
Apr 18 08:42:19 fedora system-daemon[20055]: SocketServer: Spawned handler for stream
Apr 18 08:42:19 fedora system-daemon[20055]: Handler ready, waiting for it to complete
Apr 18 08:42:19 fedora system-daemon[20055]: Handling connection
Apr 18 08:42:19 fedora system-daemon[20055]: Ready to create UHID device
Apr 18 08:42:19 fedora system-daemon[20055]: attempting to decode a frame
Apr 18 08:42:19 fedora system-daemon[20055]: frame decoded from buffer
Apr 18 08:42:19 fedora system-daemon[20055]: Running getpwuid_r for user #1000
Apr 18 08:42:19 fedora system-daemon[20055]: Loading user with uid 1000
Apr 18 08:42:19 fedora system-daemon[20055]: Creating UHID virtual U2F device
Apr 18 08:42:19 fedora system-daemon[20055]: Relaying create device response, success:false
Apr 18 08:42:19 fedora system-daemon[20055]: "Creating UHID device failed: I/O error: No such device (os error 19)"
Apr 18 08:42:19 fedora system-daemon[20055]: flushing framed transport
Apr 18 08:42:19 fedora system-daemon[20055]: writing;
Apr 18 08:42:19 fedora system-daemon[20055]: framed transport flushed
Apr 18 08:42:19 fedora system-daemon[20055]: thread 'tokio-runtime-worker' panicked at linux/system-daemon/src/socket_server.rs:73:33:
Apr 18 08:42:19 fedora system-daemon[20055]: not yet implemented
Apr 18 08:42:19 fedora system-daemon[20055]: note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
Apr 18 08:42:19 fedora system-daemon[20055]: Spawned handler finished with: Err(Io(Os { code: 19, kind: Uncategorized, message: "No such device" }))

Note: quotations added for emphasis

This is strange, /dev/uhid definitely does exist, so I've no clue what this could be. My other troubleshooting has come up completely empty, sadly.

g@fedora:~/Documents/Programming/rust-u2f/linux$ ls -l /dev/uhid
crw-------. 1 root root 10, 239 Apr 18 06:41 /dev/uhid
g@fedora:~/Documents/Programming/rust-u2f/linux$ dmesg | grep uhid
g@fedora:~/Documents/Programming/rust-u2f/linux$ sudo ausearch -m avc -ts recent | grep uhid
<no matches>