Issue with SELinux and iio-sensor-prox in Fedora 42

rosti · June 4, 2025, 8:08am

Hi there,

After some recent dnf upgrade a few days ago I see the following errors from SELinux, related to some issue with the iio-sensor-prox. Is it a known issue and somebody already working to fix it?

$ journalctl -b -1 -p 0..3
Jun 04 10:31:46 fedora kernel: iwlwifi 0000:00:14.3: BIOS contains WGDS but no WRDS
Jun 04 10:31:46 fedora kernel: iwlwifi 0000:00:14.3: Not valid error log pointer 0x0024B5C0 for RT uCode
Jun 04 10:31:47 fedora bluetoothd[1192]: Failed to set mode: Failed (0x03)
Jun 04 10:31:50 fedora setroubleshoot[1460]: SELinux is preventing iio-sensor-prox from using the sys_admin capability. For complete SELinux messages run: sealert -l 20433fd0-5269-4cfe-bc69-6a00c31c11fe
Jun 04 10:31:51 fedora setroubleshoot[1460]: SELinux is preventing iio-sensor-prox from using the sys_admin capability. For complete SELinux messages run: sealert -l 20433fd0-5269-4cfe-bc69-6a00c31c11fe
Jun 04 10:31:51 fedora setroubleshoot[1460]: SELinux is preventing iio-sensor-prox from using the sys_admin capability. For complete SELinux messages run: sealert -l 20433fd0-5269-4cfe-bc69-6a00c31c11fe
Jun 04 10:31:51 fedora setroubleshoot[1460]: SELinux is preventing iio-sensor-prox from using the sys_admin capability. For complete SELinux messages run: sealert -l 20433fd0-5269-4cfe-bc69-6a00c31c11fe
Jun 04 10:31:51 fedora setroubleshoot[1460]: SELinux is preventing iio-sensor-prox from using the sys_admin capability. For complete SELinux messages run: sealert -l 20433fd0-5269-4cfe-bc69-6a00c31c11fe
Jun 04 10:31:51 fedora setroubleshoot[1460]: SELinux is preventing iio-sensor-prox from using the sys_admin capability. For complete SELinux messages run: sealert -l 20433fd0-5269-4cfe-bc69-6a00c31c11fe
Jun 04 10:31:51 fedora setroubleshoot[1460]: SELinux is preventing iio-sensor-prox from using the sys_admin capability. For complete SELinux messages run: sealert -l 20433fd0-5269-4cfe-bc69-6a00c31c11fe
Jun 04 10:31:51 fedora setroubleshoot[1460]: SELinux is preventing iio-sensor-prox from using the sys_admin capability. For complete SELinux messages run: sealert -l 20433fd0-5269-4cfe-bc69-6a00c31c11fe
Jun 04 10:31:51 fedora setroubleshoot[1460]: SELinux is preventing iio-sensor-prox from using the sys_admin capability. For complete SELinux messages run: sealert -l 20433fd0-5269-4cfe-bc69-6a00c31c11fe
Jun 04 10:31:51 fedora setroubleshoot[1460]: SELinux is preventing iio-sensor-prox from using the sys_admin capability. For complete SELinux messages run: sealert -l 20433fd0-5269-4cfe-bc69-6a00c31c11fe
Jun 04 10:32:14 fedora lightdm[1541]: gkr-pam: unable to locate daemon control file

computersavvy · June 4, 2025, 11:53am

At the end of each those SELinux lines there is info about how to obtain more detail on the errors.
for complete SELinux messages run: sealert -l 20433fd0-5269-4cfe-bc69-6a00c31c11fe

Have you tried that? and if so what (detailed) information was returned?

rosti · June 4, 2025, 2:41pm

I already removed the old alerts but after each reboot a new one is always created:

$ sealert -l f9695e61-70b0-4d18-9ebb-0b1279a2f3ab
SELinux is preventing iio-sensor-prox from using the sys_admin capability.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that iio-sensor-prox should have the sys_admin capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'iio-sensor-prox' --raw | audit2allow -M my-iiosensorprox
# semodule -X 300 -i my-iiosensorprox.pp


Additional Information:
Source Context                system_u:system_r:iiosensorproxy_t:s0
Target Context                system_u:system_r:iiosensorproxy_t:s0
Target Objects                Unknown [ capability ]
Source                        iio-sensor-prox
Source Path                   iio-sensor-prox
Port                          <Unknown>
Host                          fedora
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-41.41-1.fc42.noarch
Local Policy RPM              selinux-policy-targeted-41.41-1.fc42.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     fedora
Platform                      Linux fedora 6.14.9-300.fc42.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Thu May 29 14:27:53 UTC 2025
                              x86_64
Alert Count                   10
First Seen                    2025-06-04 17:35:20 IDT
Last Seen                     2025-06-04 17:35:20 IDT
Local ID                      f9695e61-70b0-4d18-9ebb-0b1279a2f3ab

Raw Audit Messages
type=AVC msg=audit(1749047720.616:124): avc:  denied  { sys_admin } for  pid=1193 comm="iio-sensor-prox" capability=21  scontext=system_u:system_r:iiosensorproxy_t:s0 tcontext=system_u:system_r:iiosensorproxy_t:s0 tclass=capability permissive=0


Hash: iio-sensor-prox,iiosensorproxy_t,iiosensorproxy_t,capability,sys_admin

rosti · June 4, 2025, 2:44pm

BTW why it’s iio-sensor-prox and not iio-sensor-proxy? Looks like a typo. The real package name is longer: iio-sensor-proxy - Fedora Packages

Topic		Replies	Views
SELinux security alert keeps flashing and makes fedora useless Ask Fedora selinux , f41	7	554	November 11, 2024
Repeated security messages from SELinux Ask Fedora kde , flatpak , selinux	29	2400	June 28, 2024
Iio-sensor-proxy fails to enable sensor after update Ask Fedora update	1	1102	November 9, 2024
Errors running podman containers on Fedora IoT 35 Ask Fedora f35 , selinux , iot	10	2119	December 19, 2021
SELinux issue sometimes when installing packages using DNF Ask Fedora cinnamon , selinux	3	1279	December 12, 2021

Issue with SELinux and iio-sensor-prox in Fedora 42

Related topics