I followed boredsquirrel’s guide to layer usbguard, usbguard-notifier and usbguard-selinux to rpm-ostree, and set up some rules around commonly connected objects.
I did this because USBguard seemed like the most acknowledged option for usb security.
I didn’t know that GNOME came with usbguard, I didn’t know that usbguard was so unfriendly to a non-technical audience, and I now realize that documentation around this software is obscure and unreadable enough that it might not have been worth it for me.
Now a lot of issues are cropping up, especially with iOS devices that I need to back up. They fail to connect every time. Also, other user profiles won’t let USBs connect.
After failed man-page-reading attempts and hours spent in console, I’d like to either
reset usbguard completely to GNOME defaults, (possibly especially worth it if a USBguard UI is on the way)
at least figure something out to make the iOS device connect every time and/or get it working on other profiles
and should I unlayer usbguard from the ostree? If so, should I keep the others?
I have been using usbguard (configured to default-deny devices) on a GNOME desktop for years without problems. I have also tried it out on Silverblue and didn’t see any sticky problems either. In case there is anything I can help with, please write more details about the problems you are seeing.
General tips for a machine with usbguard installed:
I noticed that installing usbguard-notifier helped improve the usability a lot, you might want to try it. Apart from that, I am used to executing usbguard list-devices and usbguard allow-device in a terminal.
You can permanently allow a device by executing usbguard list-devices, find the ID in the list (probably the only device that is “blocked”), then execute usbguard allow-device --permanent [ID]. You should never need to allow this device again. (This is also part of boredsquirrel’s guide)
In case the iOS device is switching behavior a lot, you could (temporarily) allow all devices by executing something like usbguard set-parameter InsertedDevicePolicy allow and maybe also usbguard set-parameter ImplicitPolicyTarget allow. If you are backing up iOS devices from a script, you could make those commands part of your script.
Do the hints above help you solve this problem?
Did you change any of the configuration of usbguard or GNOME? To find this out, what do the following commands give you?
rpm -V usbguard
gsettings get org.gnome.desktop.privacy usb-protection
gsettings get org.gnome.desktop.privacy usb-protection-level
The first command lists all the config files of usbguard that are modified on your system. The other two command are for GNOME’s settings: usb-protection defaults to true, while usb-protection-level defaults to lockscreen.
And what do you mean with “profiles”? Is this maybe because you are using multiple accounts and not all of them are configured (allowed) to communicate with the usbguard daemon? Or because you are using different desktop environments and some of them don’t support usbguard?
As a first measure, you might want to set the InsertedDevicePolicy and PresentDevicePolicy to allow (which breaks all the security measures by usbguard, obviously) to avoid locking yourself out of the machine in case something goes wrong in the next step. To apply this change, you need to restart the usbguard service.
This should be possible following these steps:
Stop the usbguard daemon
Delete all your manually done USBGuard configuration in /etc/usbguard
Reinstall usbguard (execute dnf reinstall usbguard as root or with sudo)
Check the .rpmnew, .rpmsave, .rpmorig files in /etc/usbguard in case reinstallation of usbguard created them. rpmconf is a helpful tool for that, e.g. rpmconf -o usbguard.
Reboot your machine
After reboot, reset the two gsettings values mentioned above: gsettings reset org.gnome.desktop.privacy usb-protection and gsettings reset org.gnome.desktop.privacy usb-protection-level
I don’t think this should be necessary. In the default configuration with GNOME, usbguard should only block devices while you have the screen locked. As soon as the screen is unlocked and you attach a new device, it should be allowed. In other words, by default, if you only attach USB devices while the screen is unlocked, usbguard should behave as if it did not exist, always allowing all devices.