Errors from SELinux and loading 3rd party kernel modules

I am running Fedora 43. Alot of processes are getting blocked by SELinux and I have no clue what is going on, I have never tampered or had problems with it before.

journald browser showing errors1510×1018 630 KB

I have no clue what most of these applications are and why they are getting denied. It’s even warning me for one of them that it is trying to load a kernel module.

image1897×1865 179 KB

These could possibly be related to me installing a FCC Unlock fix and TLP for my laptop. No clue though.

I am also trying to connect my Xbox controller using the XOne kernel module, specifically this Copr.

I did all the steps it said, I even tried to self sign it using openssl and enroll it using the MOK key manager on reboot. Yet still it will not work.

image1643×1033 515 KB

I’ve been practically pulling my hair out because of this, so I would really appreciate if someone helped me with this.

System:
  Host: pcbcat-laptop Kernel: 6.17.0-0.rc6.49.fc43.x86_64 arch: x86_64
    bits: 64
  Desktop: KDE Plasma v: 6.4.4 Distro: Fedora Linux 43 (KDE Plasma Desktop
    Edition Prerelease)
Machine:
  Type: Laptop System: LENOVO product: 21RVCTO1WW v: ThinkPad P14s Gen 6 AMD
    serial: <superuser required>
  Mobo: LENOVO model: 21RVCTO1WW v: SDK0T76574 WIN
    serial: <superuser required> UEFI: LENOVO v: R2XET33W (1.13 )
    date: 06/03/2025
Battery:
  ID-1: BAT0 charge: 57.4 Wh (99.8%) condition: 57.5/57 Wh (100.9%)
CPU:
  Info: 12-core model: AMD Ryzen AI 9 HX PRO 370 w/ Radeon 890M bits: 64
    type: MT MCP cache: L2: 12 MiB
  Speed (MHz): avg: 605 min/max: 605/5158:3289 cores: 1: 605 2: 605 3: 605
    4: 605 5: 605 6: 605 7: 605 8: 605 9: 605 10: 605 11: 605 12: 605 13: 605
    14: 605 15: 605 16: 605 17: 605 18: 605 19: 605 20: 605 21: 605 22: 605
    23: 605 24: 605
Graphics:
  Device-1: Advanced Micro Devices [AMD/ATI] Strix [Radeon 880M / 890M]
    driver: amdgpu v: kernel
  Device-2: Chicony Integrated Camera driver: uvcvideo type: USB
  Display: wayland server: Xwayland v: 24.1.8 compositor: kwin_wayland
    driver: gpu: amdgpu resolution: 1920x1200~60Hz
  API: EGL v: 1.5 drivers: kms_swrast,radeonsi,swrast
    platforms: gbm,wayland,x11,surfaceless,device
  API: OpenGL v: 4.6 compat-v: 4.5 vendor: amd mesa v: 25.2.2 renderer: AMD
    Radeon 890M Graphics (radeonsi gfx1150 LLVM 21.1.0 DRM 3.64
    6.17.0-0.rc6.49.fc43.x86_64)
  API: Vulkan v: 1.4.321 drivers: radv,llvmpipe surfaces: N/A
  Info: Tools: api: clinfo, eglinfo, glxinfo, vulkaninfo
    de: kscreen-console,kscreen-doctor wl: wayland-info x11: xdriinfo,
    xdpyinfo, xprop, xrandr
Audio:
  Device-1: Advanced Micro Devices [AMD/ATI] Radeon High Definition Audio
    [Rembrandt/Strix] driver: snd_hda_intel
  Device-2: Advanced Micro Devices [AMD] Audio Coprocessor
    driver: snd_acp_pci
  Device-3: Advanced Micro Devices [AMD] Family 17h/19h/1ah HD Audio
    driver: snd_hda_intel
  API: ALSA v: k6.17.0-0.rc6.49.fc43.x86_64 status: kernel-api
  Server-1: PipeWire v: 1.4.8 status: active
Network:
  Device-1: MEDIATEK driver: mt7925e
  IF: wlp194s0 state: up mac: 66:8d:f9:06:a5:a1
  Device-2: Realtek RTL8111/8168/8211/8411 PCI Express Gigabit Ethernet
    driver: r8169
  IF: enp195s0f0 state: down mac: c8:53:09:fb:67:f9
  IF-ID-1: wg0-mullvad state: unknown speed: N/A duplex: N/A mac: N/A
  IF-ID-2: wwan0 state: unknown mac: N/A
Bluetooth:
  Device-1: MediaTek Wireless_Device driver: btusb type: USB
  Report: btmgmt ID: hci0 state: up address: AC:F2:3C:61:53:F6 bt-v: 5.4
Drives:
  Local Storage: total: 1.86 TiB used: 117.11 GiB (6.1%)
  ID-1: /dev/nvme0n1 vendor: SK Hynix model: HFS002TEJ9X162N size: 1.86 TiB
Partition:
  ID-1: / size: 1.86 TiB used: 116.53 GiB (6.1%) fs: btrfs dev: /dev/dm-0
  ID-2: /boot size: 973.4 MiB used: 572.2 MiB (58.8%) fs: ext4
    dev: /dev/nvme0n1p2
  ID-3: /boot/efi size: 598.8 MiB used: 19.3 MiB (3.2%) fs: vfat
    dev: /dev/nvme0n1p1
  ID-4: /home size: 1.86 TiB used: 116.53 GiB (6.1%) fs: btrfs
    dev: /dev/dm-0
Swap:
  ID-1: swap-1 type: zram size: 8 GiB used: 0 KiB (0.0%) dev: /dev/zram0
Sensors:
  System Temperatures: cpu: 45.0 C mobo: N/A
  Fan Speeds (rpm): fan-1: 0 fan-2: 2370
Info:
  Memory: total: 88 GiB available: 86.05 GiB used: 5.36 GiB (6.2%)
  Processes: 567 Uptime: 12m Shell: Bash inxi: 3.3.39

FC43 is currently in testing as I’m sure you know; if you’re hitting issues which are show-stoppers for you and preventing you from working, F42 might be a safer option until November when 43 will be released…

I always run with selinux disabled

sudo grubby --update-kernel=ALL --args='selinux=0'

wpa_supplicant is used for wifi

As the modules loading, maybe ditch the gamepad until the issue is fixed.

Did you enrol a key the the failed modules?, see /usr/share/doc/akmods/README.secureboot

I upgraded to FC43 because no one is packaging NetworkManager version 1.23.2 or newer, which the FCC fix requires. I was going to try building from source, but I could not find the repository for the package.

I heard that was not recommended and not secure, is it really that important or can I also disable it?

I might just try and use xpadneo as it is refrenced in the docs. I picked xone because it is actively maintained and is a newer replacement to xpadneo.

Yes, I have also checked to see if they are there.

pcbcat@pcbcat-laptop:~$ mokutil --list-enrolled | grep Issuer
        Issuer: C=US, ST=Massachusetts, L=Cambridge, O=Red Hat, Inc., OU=Fedora Secure Boot CA 20200709, CN=fedoraca
                CA Issuers - URI:https://fedoraproject.org/wiki/Features/SecureBoot
        Issuer: CN=XOne Module Signing Key (Unofficial)

The method I used to make the key and sign the modules was the following:

openssl req -new -x509 -newkey rsa:2048 -nodes -days 3650 -outform DER -keyout XONESKEY.priv -out XONESKEY.der -subj "/CN=XOne Module Signing Key (Unofficial)/"

cd /lib/modules/6.17.0-0.rc6.49.fc43.x86_64/extra/xone 

for module in *.ko.xz; do
  sudo /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 ~/mok-keys/MOK.priv ~/mok-keys/MOK.der "$module"
done

That’s fair enough; if you need it, you need it. I can’t afford to not have a working system so having a plethora of failures as you have would be a major pain for me - I’d end up doing as Leigh suggests and turning off selinux until stuff stabilises…

I might downgrade anyways, because the fix doesn’t even work. It will just spit out FCC unlock failed from a unknown process. As for SELinux and TLP, no idea if it will work when downgraded.

So it turns out, downgrading from 43 to 42 is not supported from what I’ve heard. So I would need to do a whole reinstall. How can I transfer all of my settings and data to be in the next install?

I’ll try to resist the smug “just restore your backup… you have a backup, right” line, but essentially, you’re looking at making sure you have a copy of your home directory (and anywhere else you have stashed data that you need to keep but will be zapped by a full install, and only you know what and where that stuff is).

At the very least, you’ll want your home directory, a list f of any additional packages you’ve installed, a list of add-ons or extensions for your browser, a reminder of any specific changes that won’t get pickled up with a restore of your ~/.config directory that a vital to you and double check that you know any passwords, passphrases or anything else that might get autofilled for you… just in case.

Back all that stuff up to a USB/external media/Dropbox/Google/wherever. Then double check it. Twice. (Ask me how I know).

Restore the older version

Fire it up for a while - long enough to feel that it’s working OK for you.

I then work my way through the backup starting with ~.config, restoring stuff on a case by case basis… If I have to endure this pain, then I might as well have a spring clear out of stuff I no longer use or have no need for.

Good luck - treat it not as a massive ball ache, but as a cathartic spring-cleaning…